Jump to content

Database Security


Go to solution Solved by requinix,

Recommended Posts

Hi all,

 

An article on wikihow on Secure Login Script, in Part 2, under the heading Configure the MySql Database states that we can create previliges for users. It then goes on to create a user with details : 

 

USER : "sec_user".  

Password "eKcGZr... WU"

 

It then states that "Remember it doesn't need to be  a password that you can remember so make it as complicated as possible."

 

The question is regarding this last statement. Why don't we need to remember this password?

 

Also I would like to ask what other security measure do we need to take as regards the MySql database? Also things like settings in the config files etc.

 

Thanks all !

 

 

Link to comment
https://forums.phpfreaks.com/topic/294833-database-security/
Share on other sites

  • Solution

Because you aren't going to log into MySQL yourself. It's for the code, and if you ever need to know what it is you can simply go into the code and find it.

 

Also I would like to ask what other security measure do we need to take as regards the MySql database? Also things like settings in the config files etc.

There's not a whole lot, regarding MySQL specifically. Make sure your users have as limited access as you can get away with: simple read and write users shouldn't need to create databases or alter tables, for example.

 

There aren't really security settings in the config files...

  • Like 1
Link to comment
https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506501
Share on other sites

Hi requinix, 

 

Thanks for the reply. I think I get it but just to be doubly sure I'ld like to ask some more.

 

 

Because you aren't going to log into MySQL yourself.

 Do you mean like log into using phpMyAdmin? Would setting a password in code affect my logging into phpMyAdmin ?? I don't think so but please confirm. 

 

 

 

simple read and write users shouldn't need to create databases or alter tables

What if my application is altering or updating the tables based on the user interaction -  for eg. inserting the scores of the user in a database or altering them? 

Now that would tantamount to a write operation and so would I need to allow INSERT and UPDATE privilege to the user? 

 

Thanks for the reply and look forward to some more clarifications.

Edited by ajoo
Link to comment
https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506517
Share on other sites

 

Do you mean like log into using phpMyAdmin? Would setting a password in code affect my logging into phpMyAdmin ?? I don't think so but please confirm.

No. But you still need to give the correct password to phpmyadmin.

 

 

What if my application is altering or updating the tables based on the user interaction

You misunderstood what requinix meant by alter table. He meant users should not be able to alter the structure of the table (ie, add/remove columns from the table). A simple read/write user should only be allowed todo select, insert, update and delete operations.

Link to comment
https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506520
Share on other sites

Actually I think OP is confusing the word "user" in this instance.  In your original post, the "user" being referred to is between server (i.e. apache) and a client-server (mysql).  Where a (privileged) "user"could be root or admin or some other entity you setup when creating the database.  

 

Later in your second post, I believe you are thinking about a "user" as in a web user who is filling in some form from a web page.  Or some entity/person who has authorization to run queries against the database though your scripts.  Like updating a table.

 

The connection is owned by the client-server (like MySQL), but the person doing the action (filling in a form and submitting it) is simply an un-priviledge web user. MySQL is a client-server to your web user who has authorization to use do some task, like updating a table.  

 

Thats how I'm reading this thread anyway.

  • Like 1
Link to comment
https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506524
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.