lanmind Posted September 28, 2008 Share Posted September 28, 2008 Hello everybody,I have a mySql database on my site with information that has taken me a long time to acquire. It's what makes my site relevant. The database is accessed through php and the database connection information is on a separate file.I don't know where to start as far as protecting my database. Does anybody know of some good reads on the issue? I don't mind people getting bits of information of the db at a time, I just don't want the whole db copied or shared. I put a lot of effort into it.Here's my site with a fake db.http://www.dockhawk.com/ Link to comment Share on other sites More sharing options...
jlhaslip Posted September 28, 2008 Share Posted September 28, 2008 here is a pretty detailed article about securing a Mysql Server if you are the Server Admin http://www.securityfocus.com/infocus/1726but it sounds to me like you are more concerned about the protection of the DB via the php code.Couple of things to check for:Only allow the DB user for the DB the permissions they need to run the scripts. Example: No need allowing the DB user Grant privileges.Never trust user input. Validate and escape the data before storing it into the DB.Place the config file above the public_html folder so that it is not available via the Web.Apply user permission levels. IE: a log-in systemAllow no errors to be displayed to the Web on a live site.These should get you started. Link to comment Share on other sites More sharing options...
lanmind Posted September 28, 2008 Author Share Posted September 28, 2008 here is a pretty detailed article about securing a Mysql Server if you are the Server Admin http://www.securityfocus.com/infocus/1726but it sounds to me like you are more concerned about the protection of the DB via the php code.Couple of things to check for:Only allow the DB user for the DB the permissions they need to run the scripts. Example: No need allowing the DB user Grant privileges.Never trust user input. Validate and escape the data before storing it into the DB.Place the config file above the public_html folder so that it is not available via the Web.Apply user permission levels. IE: a log-in systemAllow no errors to be displayed to the Web on a live site.These should get you started.Thanks jlhaslip,I've talked to others about this, and they say I need to see who is accessing my site, db and the sent queries. A web log. Are there any good free ones? I'm on a shared hosting account with Godaddy. Link to comment Share on other sites More sharing options...
lanmind Posted September 29, 2008 Author Share Posted September 29, 2008 here is a pretty detailed article about securing a Mysql Server if you are the Server Admin http://www.securityfocus.com/infocus/1726but it sounds to me like you are more concerned about the protection of the DB via the php code.Couple of things to check for:Only allow the DB user for the DB the permissions they need to run the scripts. Example: No need allowing the DB user Grant privileges.Never trust user input. Validate and escape the data before storing it into the DB.Place the config file above the public_html folder so that it is not available via the Web.Apply user permission levels. IE: a log-in systemAllow no errors to be displayed to the Web on a live site.These should get you started.Ty jlhaslip here is where I'm at on a few things,So it seems I have some real issues with the DB user privileges. Here are the current: GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINENow when you said: "No need allowing the DB user Grant privileges." Is that the "GRANT SELECT" like above? So I know which one's the user has and I need to figure out what they need minimally. Next, like you said, how would I "Allow no errors to be displayed to the Web on a live site."?In my PHP file the password is wrong (from the config file) here: http://www.dockhawk.com/currentphp.phpSo it gives me a few strings of errors (I've blamed! the username):Warning: mysql_connect(): Access denied for user 'blamed!'@'208.109.181.180' (using password: YES) in /home/content/l/a/n/blamed!/html/currentphp.php on line 18Not connected : Access denied for user 'blamed!'@'208.109.181.180' (using password: YES)This first string:"Warning: mysql_connect(): Access denied for user 'blamed!'@'208.109.181.180' (using password: YES) in /home/content/l/a/n/blamed!/html/currentphp.php on line 18"I believe is coming from MySQL itself and is the errors you speak of that I shouldn't allow to on my live site.This second string:"Not connected : Access denied for user 'blamed!'@'208.109.181.180' (using password: YES)"I believe the PHP is actually outputting this and is also an issue because it shows the mysql_error()). In the PHP code it is:"$connection=mysql_connect ($hostname, $username, $password);if (!$connection) { die('Not connected : ' . mysql_error());"So to stop these errors from appearing is my dilemma. Obviously I believe I can stop the second by removing the "mysql_error())" from the PHP itself. The first I am not sure of, could I do this in my PHP?Thank you for your time jlhaslip. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.