473,386 Members | 1,796 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > protect local mysql db access

Join Bytes to post your question to a community of 473,386 software developers and data experts.

Protect local Mysql DB access

Hi,

I just password-protected an intranet site by including a password
authentication script in each page of a private section. The script
checks the login against the mySQL database. Appropriate file
permissions have been set up on the private directory.

My concern is now about protecting the Mysql password. Let's assume I
use Apache to protect the access to this password (<files></files> or
SetEnv in httpd.conf).

In my intranet directory, I have a public folder where I let users put
their html/php files to build their own pages.

How can I prevent a user from creating a php file like this :

$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());

$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());

In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.

Can anyone tell me how I can manage this ?

Thanks !
Jul 17 '05 #1
2 2341
In article <b7**************************@posting.google.com >, Flier_75 wrote:
How can I prevent a user from creating a php file like this :

$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());

$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());

In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.


Read the MySQL manual on access rights.
Add an account that has only rights on the columns/tables/databases it
should have (Thus excluding thet private_access column in this case).

--
Tim Van Wassenhove <http://home.mysth.be/~timvw/contact.php>
Jul 17 '05 #2
Tim, thanks but if I use an account that for instance doesn't have
access to the columns "private_access" and "user_password", then how
could I do if I want the users be able to change their password from
my php pages ?
These php pages use one and only one $_SERVER['SQL_USER'] account.

Tim Van Wassenhove <eu**@pi.be> wrote in message news:<2i************@uni-berlin.de>...
In article <b7**************************@posting.google.com >, Flier_75 wrote:
How can I prevent a user from creating a php file like this :

$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());

$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());

In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.


Read the MySQL manual on access rights.
Add an account that has only rights on the columns/tables/databases it
should have (Thus excluding thet private_access column in this case).

Jul 17 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
Local Access database to shared PHP/MySql hosting export
by: Mike MacSween | last post by:
My client has an MS Access database application on her local machine. I have full access to that in terms of changing the design. I've got a simple PHP/MySql application on shared hosting, so no...
PHP
0
Can't connect to local MySQL question
by: Bill Hernandez | last post by:
Hi, I've been writing software on the mac since 1987, but am brand new at unix/php/mysql, and that's where I'm headed so I'm reading everything I can get my hands on, but like anything else...
MySQL Database
3
local interface to MySQL
by: Shank | last post by:
I need to harvest data from MySQL tables. My experience is with MSSQL and Enterprise Manager. I also connect to MSSQL with Access and ODBC. I don't need to manage anything. I just need the data....
MySQL Database
1
"To help protect your security, "
by: McKirahan | last post by:
What is "active content"? My ASP page just returns HTML.... I have a page with an .htm extension that has a form whose action is an ASP page which generates a report after updating a database...
ASP / Active Server Pages
1
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)
by: jiing | last post by:
Now let me describe what I have done and my purpose: Originally, I want to user ports to install phpBB But I found that phpBB doesn't support mysql 5.x (but the ports installed mySQL 5.0.0...
MySQL Database
1
Differences between DATA INFILE and LOAD DATA LOCAL INFILE ?
by: Ray in HK | last post by:
What are the differences between LOAD DATA INFILE and LOAD DATA LOCAL INFILE ? I found some web hosting company do not allow using LOAD DATA INFILE but allow LOAD DATA LOCAL INFILE. The reason...
MySQL Database
22
Password protect access DB?
by: teejayem | last post by:
Hi, I am new to programming with databases and was wanting some help. Is there any way to password protect an access database and access sent sql commands to it via vb.net code? Any help...
Visual Basic .NET
8
Connecting to local database from Internet
by: mouac01 | last post by:
I'm not sure if this is possible. I would like to have a PHP app on the Internet connect and write to a local database (Intranet). For example, users would go to a web site...
PHP
6
error# 2002 can't connect to local mysql server '/var/mysql/mysql.sock' (2)
by: markodilore | last post by:
Hey Guys, you helped me once when I tryied to create a database : "Access denied for user ''@'localhost' ". On my Mac OS 10.4, I had no problem creating database and modifying it from the terminal....
MySQL Database
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!