MySQL Forums
Forum List  »  Newbie

Re: Actual Newbie Question with mysql connect
Posted by: Rick James
Date: September 12, 2009 09:09PM

"For mysql connect, do I supply root username/password directly into php code?" -- Yes. This is a relatively minor security issue.

It would help to have two logins: one for just reading, one for read/write. This way, "sql injection" is somewhat restricted.

ALWAYS escape anything that came from the user (or the URL) that needs to go into SQL. Eg,
$sql = "SELECT ... WHERE foo = '$input_arg'"
is the place where sql injection is easy to do. Use mysql_real_escape_string(), or equivalent, on $input_arg.

"where does that username/password go" -- In a database table. You could save the password encrypted, and only compare the encrypted pwd with what is in the table. A single call to md5 should do. Probably should not use aes_encrypt() because the encryption key has to be reachable by php code. Also, you don't need to decrypt the password; a trap-door is quite adequate.

"Could I create a database user to use for my mysql connect connection to server?" -- Don't. That would mean you would have to have a "with grant option" user/pwd ready to connect to the db (and ready for a hacker).

If you web server is on the same machine with mysql, consider connecting via 'localhost' and do skip-networking. If they are on separate machines, make sure port 3306 is blocked to the outside world.

"source viewable" -- That is configurable in the web server (Apache?). Do not enable it; it would expose the pwds.

Check every input from the user. JavaScript can be injected via <script>, be sure to remove < or turn it into &lt;. (etc)

open_basedir -- clamp it down as much as it can.

Be cautious about uploading into php.

Mysql files/directories should be owned by 'mysql' and inaccessible to anyone else. (And vice versa, somewhat.)

Options: ReplyQuote


Subject
Written By
Posted
Re: Actual Newbie Question with mysql connect
September 12, 2009 09:09PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.