Jump to content

access mysql without root pwd in code

kimdan

By kimdan
in MySQL Help

 Share

Recommended Posts

kimdan Newbie

kimdan

Posted
Posted

PHP forum users, thanks in advance for your interest.

 

I am beginning LAMP,

 

can only access mysql using the mysql_connect statement.

 

created a limited mysql-user, granting many permissions for a test database only.

 

I entered that user in the mysql_connect expression

 

in the apache 2.4 log, reported access denied

 

(by the way, were do I find this event recorded in a mysql log?)

 

Yet with root user, access passed.

 

 

So-----

the password is not hashed. In fact standard linux-users have read privelege to the /var/www/html directory and can view the pwd!

 

How do people access mysql without exposed root password?

 

Is there a way to use mysql_connect with a limited mysql-user? What privileges need to be granted? Or required some other setting?

 

One could I guess limit access priveleges to /var/www/html? isn't that less secure than linux user-passwords for example, which are hashed?

 

another way -- encrypt the folder (I saw something like htaccess)?

 

Any suggested way, or reference to material? In particular, what is the shortest way for someone only beginning?

 

Thanks again!

Dan

 

Link to comment
Share on other sites
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted

Users on your computer will be able to read your files yes. But someone accessing your website will not be able to see the PHP source within the .php files, they will only see the output.
 
If you do not want users of your computer from accessing your files, then I recommend you change Apaches config (I recommend setup a new virtual hosts) so it serves your websites from your home directory. Then you can set your home directory (or your websites document root directory) file permissions as 0750. This will prevent other users from accessing your files.

Link to comment
Share on other sites
kimdan Newbie

kimdan

Posted
  • Author
Posted

Thanks for the advice!

 

I will look for the 0750 file permission.

 

I realize that the design is such that HTTP client would not have access to the php script. But for security standards, my guess with no experience is that, as I wrote, the linux-user password is more secure than this because it is encrypted and is hidden even from a linux admin user. That guess is not correct in any practical sense?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.