 MySQL root password and other configuration issues |
| Christian J |
 Jun 16 2010, 05:28 PM
Post
#1
|
|
.  Group: WDG Moderators Posts: 9,681 Joined: 10-August 06 Member No.: 7  |
I'm finally going to try learning MySQL, and have installed a MySQL server on my computer (Windows with Apache and PHP). After some confusion I found that in order to succeed with PHP mysql_connect() I needed the username "root" and the MySQL root password created during the installation. Related questions:
- Is a root password necessary or useful on an offline testing server? Is it practical to make a new user account (with passwords?) in addition to root for each site I'm testing offline? - Any other security precautions? For example there's a "skip-networking" directive, which stops MySQL from listening on a TCP/IP port. - In phpinfo.php the "mysql.default_user" and "mysql.default_password" directives are listed. What are they used for? Apparently they're not the same as the MySQL root and password. - What is http://www.php.net/manual/en/ini.core.php#ini.sql.safe-mode used for? When enabled mysql_connect() fails, apparently because it makes PHP ignore my root password. So when do you use safe mode --when passwords are not used (sounds contradictory)? - Anything else to think of, so that my offline configurations won't differ too much from what online webhosts look like? I don't have any web host offering MySQL, so I can't check. |
  |
 
|
  |
Replies
| Christian J |
Jun 21 2010, 06:11 AM
Post
#2
|
|
. Group: WDG Moderators Posts: 9,681 Joined: 10-August 06 Member No.: 7 |
http://devzone.zend.com/article/760-SQLite...uction#Heading8 says:
"If any query in SQLite uses user-specified input you should take extra care to validate that input, to prevent SQL injection. Unlike in MySQL, where this would only cause an embarrassing query error, in SQLite it would allow the attacker to execute a query on your server, with potentially disastrous consequences." Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? |
|
|
|
| Brian Chandler |
Jun 21 2010, 06:46 AM
Post
#3
|
|
Jocular coder Group: Members Posts: 2,460 Joined: 31-August 06 Member No.: 43 |
QUOTE(Christian J @ Jun 21 2010, 08:11 PM)  http://devzone.zend.com/article/760-SQLite...uction#Heading8 says: "If any query in SQLite uses user-specified input you should take extra care to validate that input, to prevent SQL injection. Unlike in MySQL, where this would only cause an embarrassing query error, in SQLite it would allow the attacker to execute a query on your server, with potentially disastrous consequences." Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? --- I don't think so. I don't understand the basis for claiming that in mysql there would "only be a query error". (You understand how sql injection works?) Simple program: sql_call("SELECT * FROM thing WHERE fish ='" . $_GET['breed'] . "'"); The user is supposed to supply something like 'salmon', and this forms a single query to do the obvious thing. But if the user supplies the string delineated by square brackets: [salmon'; DROP TABLE fish; 'x'='x] ... then this generates a perfectly valid sequence of SQL commands, where the middle one can do any mischief desired. This "works" just as well on MySQL as anywhere else. |
|
|
|
Posts in this topic
Christian J MySQL root password and other configuration issues Jun 16 2010, 05:28 PM
Brian Chandler The short answers is that I don't know: I use ... Jun 17 2010, 09:05 AM
Christian J
I use mysql on my hosting service (pair), and am ... Jun 17 2010, 12:16 PM
pandy I've never set up MySQL locally. It's bee... Jun 17 2010, 05:48 PM Christian J
Not much point anymore when it's almost as qu... Jun 17 2010, 06:50 PM pandy You set up a playground area on the server. :) Jun 17 2010, 07:49 PM Christian J
You set up a playground area on the server. :)
... Jun 18 2010, 05:50 AM pandy No, not unless its something very important. The s... Jun 18 2010, 11:16 AM Christian J
I would be grateful to hear any feedback on how y... Jun 19 2010, 05:13 PM pandy So it works. :P Jun 19 2010, 10:18 PM Brian Chandler
I would be grateful to hear any feedback on how ... Jun 20 2010, 12:23 AM Christian J
I recommend using phpmyadmin (what a dreadful nam... Jun 20 2010, 07:28 AM Brian Chandler
[quote name='Brian Chandler' post='48812' date='J... Jun 20 2010, 01:40 PM Frederiek Or, simply use SQLite. Jun 19 2010, 07:08 AM Christian J
Or, simply use SQLite.
But then the web host mus... Jun 19 2010, 02:40 PM Frederiek
[quote name='Frederiek' post='48795' date='Jun 19... Jun 20 2010, 12:26 PM Brian Chandler
[quote name='Frederiek' post='48795' date='Jun 1... Jun 20 2010, 01:45 PM Christian J I guess being bundled doesn't guarantee all we... Jun 20 2010, 02:21 PM geoffmerritt I have Xampp for windows running on my laptop, whi... Jun 20 2010, 02:59 AM Christian J
Using root in mysql as a user name should be avoi... Jun 20 2010, 07:40 AM pandy You usually don't have root anything on a shar... Jun 20 2010, 07:59 AM geoffmerritt
Using root in mysql as a user name should be avo... Jun 20 2010, 08:27 AM Christian J SQLite enabled and tested! Indeed it's muc... Jun 20 2010, 04:21 PM Christian J
(You understand how sql injection works?)
Only ... Jun 21 2010, 08:58 AM Brian Chandler
I'm sorry, I was only sketching -- you need ... Jun 21 2010, 10:08 AM Christian J
typically you use mysql_real_escape_string() to e... Jun 21 2010, 12:11 PM Brian Chandler
[quote name='Brian Chandler' post='48858' date='J... Jun 21 2010, 10:33 PM Christian J
This is what gets concatenated into the query
So... Jun 22 2010, 11:04 AM Brian Chandler
[quote name='Brian Chandler' post='48871' date='J... Jun 22 2010, 01:16 PM |
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
|
Lo-Fi Version | Time is now: 5th June 2024 - 07:41 PM |
Invision Power Board
© 2024 IPS, Inc.
Licensed to: HTMLHelp.com, LLC