469,934 Members | 1,873 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,934 developers. It's quick & easy.

Protect local Mysql DB access

Hi,

I just password-protected an intranet site by including a password
authentication script in each page of a private section. The script
checks the login against the mySQL database. Appropriate file
permissions have been set up on the private directory.

My concern is now about protecting the Mysql password. Let's assume I
use Apache to protect the access to this password (<files></files> or
SetEnv in httpd.conf).

In my intranet directory, I have a public folder where I let users put
their html/php files to build their own pages.

How can I prevent a user from creating a php file like this :

$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());

$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());

In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.

Can anyone tell me how I can manage this ?

Thanks !
Jul 17 '05 #1
2 2193
In article <b7**************************@posting.google.com >, Flier_75 wrote:
How can I prevent a user from creating a php file like this :

$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());

$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());

In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.


Read the MySQL manual on access rights.
Add an account that has only rights on the columns/tables/databases it
should have (Thus excluding thet private_access column in this case).

--
Tim Van Wassenhove <http://home.mysth.be/~timvw/contact.php>
Jul 17 '05 #2
Tim, thanks but if I use an account that for instance doesn't have
access to the columns "private_access" and "user_password", then how
could I do if I want the users be able to change their password from
my php pages ?
These php pages use one and only one $_SERVER['SQL_USER'] account.

Tim Van Wassenhove <eu**@pi.be> wrote in message news:<2i************@uni-berlin.de>...
In article <b7**************************@posting.google.com >, Flier_75 wrote:
How can I prevent a user from creating a php file like this :

$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());

$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());

In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.


Read the MySQL manual on access rights.
Add an account that has only rights on the columns/tables/databases it
should have (Thus excluding thet private_access column in this case).

Jul 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

11 posts views Thread by Mike MacSween | last post: by
reply views Thread by Bill Hernandez | last post: by
3 posts views Thread by Shank | last post: by
1 post views Thread by McKirahan | last post: by
22 posts views Thread by teejayem | last post: by
8 posts views Thread by mouac01 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.