MySQL root password and other configuration issues |
MySQL root password and other configuration issues |
Christian J |
Jun 16 2010, 05:28 PM
Post
#1
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
I'm finally going to try learning MySQL, and have installed a MySQL server on my computer (Windows with Apache and PHP). After some confusion I found that in order to succeed with PHP mysql_connect() I needed the username "root" and the MySQL root password created during the installation. Related questions:
- Is a root password necessary or useful on an offline testing server? Is it practical to make a new user account (with passwords?) in addition to root for each site I'm testing offline? - Any other security precautions? For example there's a "skip-networking" directive, which stops MySQL from listening on a TCP/IP port. - In phpinfo.php the "mysql.default_user" and "mysql.default_password" directives are listed. What are they used for? Apparently they're not the same as the MySQL root and password. - What is http://www.php.net/manual/en/ini.core.php#ini.sql.safe-mode used for? When enabled mysql_connect() fails, apparently because it makes PHP ignore my root password. So when do you use safe mode --when passwords are not used (sounds contradictory)? - Anything else to think of, so that my offline configurations won't differ too much from what online webhosts look like? I don't have any web host offering MySQL, so I can't check. |
Christian J |
Jun 21 2010, 06:11 AM
Post
#2
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
http://devzone.zend.com/article/760-SQLite...uction#Heading8 says:
"If any query in SQLite uses user-specified input you should take extra care to validate that input, to prevent SQL injection. Unlike in MySQL, where this would only cause an embarrassing query error, in SQLite it would allow the attacker to execute a query on your server, with potentially disastrous consequences." Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? |
Brian Chandler |
Jun 21 2010, 06:46 AM
Post
#3
|
Jocular coder Group: Members Posts: 2,476 Joined: 31-August 06 Member No.: 43 |
http://devzone.zend.com/article/760-SQLite...uction#Heading8 says: "If any query in SQLite uses user-specified input you should take extra care to validate that input, to prevent SQL injection. Unlike in MySQL, where this would only cause an embarrassing query error, in SQLite it would allow the attacker to execute a query on your server, with potentially disastrous consequences." Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? Could these potentially disastrous consequences make web hosts reluctant to allow SQLite? --- I don't think so. I don't understand the basis for claiming that in mysql there would "only be a query error". (You understand how sql injection works?) Simple program: sql_call("SELECT * FROM thing WHERE fish ='" . $_GET['breed'] . "'"); The user is supposed to supply something like 'salmon', and this forms a single query to do the obvious thing. But if the user supplies the string delineated by square brackets: [salmon'; DROP TABLE fish; 'x'='x] ... then this generates a perfectly valid sequence of SQL commands, where the middle one can do any mischief desired. This "works" just as well on MySQL as anywhere else. |
Christian J |
Jun 21 2010, 08:58 AM
Post
#4
|
. Group: WDG Moderators Posts: 9,722 Joined: 10-August 06 Member No.: 7 |
(You understand how sql injection works?) Only vaguely... QUOTE But if the user supplies the string delineated by square brackets: [salmon'; DROP TABLE fish; 'x'='x] ... then this generates a perfectly valid sequence of SQL commands, where the middle one can do any mischief desired. When I tried that I just got Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource, and the table is still there. I simplified the code a little: CODE #$result = mysql_query("SELECT * FROM Thing WHERE Fish ='Salmon'"); // works $result = mysql_query("SELECT * FROM Thing WHERE Fish ='Salmon'; DROP TABLE Thing; 'x'='x'"); // doesn't work #$result = mysql_query("DROP TABLE Thing"); // doesn't work echo '<pre>'; while($row = mysql_fetch_array($result)) { print_r($row); } echo '</pre>'; Is something wrong with my code? Do I need the DROP privilege (how can I tell, or set it)? Or has MySQL prevented this? Haven't tested with SQLite. |
Lo-Fi Version | Time is now: 26th September 2024 - 09:12 AM |