MySQL root password and other configuration issues |
MySQL root password and other configuration issues |
Christian J |
Jun 16 2010, 05:28 PM
Post
#1
|
. Group: WDG Moderators Posts: 9,681 Joined: 10-August 06 Member No.: 7 |
I'm finally going to try learning MySQL, and have installed a MySQL server on my computer (Windows with Apache and PHP). After some confusion I found that in order to succeed with PHP mysql_connect() I needed the username "root" and the MySQL root password created during the installation. Related questions:
- Is a root password necessary or useful on an offline testing server? Is it practical to make a new user account (with passwords?) in addition to root for each site I'm testing offline? - Any other security precautions? For example there's a "skip-networking" directive, which stops MySQL from listening on a TCP/IP port. - In phpinfo.php the "mysql.default_user" and "mysql.default_password" directives are listed. What are they used for? Apparently they're not the same as the MySQL root and password. - What is http://www.php.net/manual/en/ini.core.php#ini.sql.safe-mode used for? When enabled mysql_connect() fails, apparently because it makes PHP ignore my root password. So when do you use safe mode --when passwords are not used (sounds contradictory)? - Anything else to think of, so that my offline configurations won't differ too much from what online webhosts look like? I don't have any web host offering MySQL, so I can't check. |
Christian J |
Jun 21 2010, 06:11 AM
Post
#2
|
. Group: WDG Moderators Posts: 9,681 Joined: 10-August 06 Member No.: 7 |
http://devzone.zend.com/article/760-SQLite...uction#Heading8 says:
"If any query in SQLite uses user-specified input you should take extra care to validate that input, to prevent SQL injection. Unlike in MySQL, where this would only cause an embarrassing query error, in SQLite it would allow the attacker to execute a query on your server, with potentially disastrous consequences." Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? |
Brian Chandler |
Jun 21 2010, 06:46 AM
Post
#3
|
Jocular coder Group: Members Posts: 2,460 Joined: 31-August 06 Member No.: 43 |
http://devzone.zend.com/article/760-SQLite...uction#Heading8 says: "If any query in SQLite uses user-specified input you should take extra care to validate that input, to prevent SQL injection. Unlike in MySQL, where this would only cause an embarrassing query error, in SQLite it would allow the attacker to execute a query on your server, with potentially disastrous consequences." Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? --- I don't think so. I don't understand the basis for claiming that in mysql there would "only be a query error". (You understand how sql injection works?) Simple program: sql_call("SELECT * FROM thing WHERE fish ='" . $_GET['breed'] . "'"); The user is supposed to supply something like 'salmon', and this forms a single query to do the obvious thing. But if the user supplies the string delineated by square brackets: [salmon'; DROP TABLE fish; 'x'='x] ... then this generates a perfectly valid sequence of SQL commands, where the middle one can do any mischief desired. This "works" just as well on MySQL as anywhere else. |
Lo-Fi Version | Time is now: 5th June 2024 - 07:41 PM |