ajoo Posted February 23, 2015 Share Posted February 23, 2015 Hi all, An article on wikihow on Secure Login Script, in Part 2, under the heading Configure the MySql Database states that we can create previliges for users. It then goes on to create a user with details : USER : "sec_user". Password "eKcGZr... WU" It then states that "Remember it doesn't need to be a password that you can remember so make it as complicated as possible." The question is regarding this last statement. Why don't we need to remember this password? Also I would like to ask what other security measure do we need to take as regards the MySql database? Also things like settings in the config files etc. Thanks all ! Quote Link to comment https://forums.phpfreaks.com/topic/294833-database-security/ Share on other sites More sharing options...
Solution requinix Posted February 23, 2015 Solution Share Posted February 23, 2015 Because you aren't going to log into MySQL yourself. It's for the code, and if you ever need to know what it is you can simply go into the code and find it. Also I would like to ask what other security measure do we need to take as regards the MySql database? Also things like settings in the config files etc.There's not a whole lot, regarding MySQL specifically. Make sure your users have as limited access as you can get away with: simple read and write users shouldn't need to create databases or alter tables, for example. There aren't really security settings in the config files... 1 Quote Link to comment https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506501 Share on other sites More sharing options...
ajoo Posted February 23, 2015 Author Share Posted February 23, 2015 (edited) Hi requinix, Thanks for the reply. I think I get it but just to be doubly sure I'ld like to ask some more. Because you aren't going to log into MySQL yourself. Do you mean like log into using phpMyAdmin? Would setting a password in code affect my logging into phpMyAdmin ?? I don't think so but please confirm. simple read and write users shouldn't need to create databases or alter tables What if my application is altering or updating the tables based on the user interaction - for eg. inserting the scores of the user in a database or altering them? Now that would tantamount to a write operation and so would I need to allow INSERT and UPDATE privilege to the user? Thanks for the reply and look forward to some more clarifications. Edited February 23, 2015 by ajoo Quote Link to comment https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506517 Share on other sites More sharing options...
Ch0cu3r Posted February 23, 2015 Share Posted February 23, 2015 Do you mean like log into using phpMyAdmin? Would setting a password in code affect my logging into phpMyAdmin ?? I don't think so but please confirm. No. But you still need to give the correct password to phpmyadmin. What if my application is altering or updating the tables based on the user interaction You misunderstood what requinix meant by alter table. He meant users should not be able to alter the structure of the table (ie, add/remove columns from the table). A simple read/write user should only be allowed todo select, insert, update and delete operations. Quote Link to comment https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506520 Share on other sites More sharing options...
rwhite35 Posted February 23, 2015 Share Posted February 23, 2015 Actually I think OP is confusing the word "user" in this instance. In your original post, the "user" being referred to is between server (i.e. apache) and a client-server (mysql). Where a (privileged) "user"could be root or admin or some other entity you setup when creating the database. Later in your second post, I believe you are thinking about a "user" as in a web user who is filling in some form from a web page. Or some entity/person who has authorization to run queries against the database though your scripts. Like updating a table. The connection is owned by the client-server (like MySQL), but the person doing the action (filling in a form and submitting it) is simply an un-priviledge web user. MySQL is a client-server to your web user who has authorization to use do some task, like updating a table. Thats how I'm reading this thread anyway. 1 Quote Link to comment https://forums.phpfreaks.com/topic/294833-database-security/#findComment-1506524 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.