Database protection

[lanmind]

Hello everybody,I have a mySql database on my site with information that has taken me a long time to acquire. It's what makes my site relevant. The database is accessed through php and the database connection information is on a separate file.I don't know where to start as far as protecting my database. Does anybody know of some good reads on the issue? I don't mind people getting bits of information of the db at a time, I just don't want the whole db copied or shared. I put a lot of effort into it.Here's my site with a fake db.http://www.dockhawk.com/

[jlhaslip]

here is a pretty detailed article about securing a Mysql Server if you are the Server Admin http://www.securityfocus.com/infocus/1726but it sounds to me like you are more concerned about the protection of the DB via the php code.Couple of things to check for:Only allow the DB user for the DB the permissions they need to run the scripts. Example: No need allowing the DB user Grant privileges.Never trust user input. Validate and escape the data before storing it into the DB.Place the config file above the public_html folder so that it is not available via the Web.Apply user permission levels. IE: a log-in systemAllow no errors to be displayed to the Web on a live site.These should get you started.

[lanmind]

here is a pretty detailed article about securing a Mysql Server if you are the Server Admin http://www.securityfocus.com/infocus/1726but it sounds to me like you are more concerned about the protection of the DB via the php code.Couple of things to check for:Only allow the DB user for the DB the permissions they need to run the scripts. Example: No need allowing the DB user Grant privileges.Never trust user input. Validate and escape the data before storing it into the DB.Place the config file above the public_html folder so that it is not available via the Web.Apply user permission levels. IE: a log-in systemAllow no errors to be displayed to the Web on a live site.These should get you started.

Thanks jlhaslip,I've talked to others about this, and they say I need to see who is accessing my site, db and the sent queries. A web log. Are there any good free ones? I'm on a shared hosting account with Godaddy.

[lanmind]

here is a pretty detailed article about securing a Mysql Server if you are the Server Admin http://www.securityfocus.com/infocus/1726but it sounds to me like you are more concerned about the protection of the DB via the php code.Couple of things to check for:Only allow the DB user for the DB the permissions they need to run the scripts. Example: No need allowing the DB user Grant privileges.Never trust user input. Validate and escape the data before storing it into the DB.Place the config file above the public_html folder so that it is not available via the Web.Apply user permission levels. IE: a log-in systemAllow no errors to be displayed to the Web on a live site.These should get you started.

Ty jlhaslip here is where I'm at on a few things,So it seems I have some real issues with the DB user privileges. Here are the current: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINENow when you said: "No need allowing the DB user Grant privileges." Is that the "GRANT SELECT" like above? So I know which one's the user has and I need to figure out what they need minimally. Next, like you said, how would I "Allow no errors to be displayed to the Web on a live site."?In my PHP file the password is wrong (from the config file) here: http://www.dockhawk.com/currentphp.phpSo it gives me a few strings of errors (I've blamed! the username):Warning: mysql_connect(): Access denied for user 'blamed!'@'208.109.181.180' (using password: YES) in /home/content/l/a/n/blamed!/html/currentphp.php on line 18Not connected : Access denied for user 'blamed!'@'208.109.181.180' (using password: YES)This first string:"Warning: mysql_connect(): Access denied for user 'blamed!'@'208.109.181.180' (using password: YES) in /home/content/l/a/n/blamed!/html/currentphp.php on line 18"I believe is coming from MySQL itself and is the errors you speak of that I shouldn't allow to on my live site.This second string:"Not connected : Access denied for user 'blamed!'@'208.109.181.180' (using password: YES)"I believe the PHP is actually outputting this and is also an issue because it shows the mysql_error()). In the PHP code it is:"$connection=mysql_connect ($hostname, $username, $password);if (!$connection) { die('Not connected : ' . mysql_error());"So to stop these errors from appearing is my dilemma. Obviously I believe I can stop the second by removing the "mysql_error())" from the PHP itself. The first I am not sure of, could I do this in my PHP?Thank you for your time jlhaslip.