Is It Ok To Give Out Database Information?

[reflex84]

Hi, Quick question ...I've got someone asking me to create a database on my servers MySQL and they are asking for login information, ie: host, database name, database username and database password.Is this information safe to give out? Not recommended? Can they ever in future access my MySQL and delete / manipulate databases that I have there already? Let me know, thanks. R.

[Ingolme]

It sounds like they need to make their application connect to your database. One way is to hardcode the username and password into the code: mysql_connect("server","username","password")But the other way is to have an installer file that asks you for that data the first time you run it and then uses it later on. See if you can get the developer to do that. It's not really safe to give that information away.

[Synook]

User accounts in MySQL are not per-database: you can create a user account and associate it with as many databases on the system as you like, and also specify more granular permissions (e.g. whether they can CREATE TABLEs). Thus, if you want to give the user unrestricted access to a single database or set of databases, it is possible, and bar someone modifying their permissions in the future they will not be able to access databases they don't have permission to.

[reflex84]

Hi Guys, thanks for your input ... they say they need it to install wordpress, thats why they need that database information. Shouldn't I just install it and then give them the login password to their wordpress control panel?

[Synook]

Are they a client renting your servers, or just like a friend?

[reflex84]

Its a client who hosting his website (not a wordpress site) with me and its another company who my client bought a wordpress plugin from who wants my MySQL details....

[Synook]

Well, it's up to you then, but yes, it would probably be perfectly feasible, and safer, to just install the stuff yourself.

[reflex84]

Hi, When saying that I can't give out Database login details and that I should install wordpress instread - I get this reply:

"if you're going to install WordPress for me... I'll be able to see the login details in the wp-config.php file anyways"

[Synook]

If they have filesystem access, then that is true. I don't know what sort of contract you have with the client, but if they have free reign over their part of the server then the best you can do is create a new MySQL user account with access only to the database they will use for Wordpress - that should be secure enough.

[dsonesuk]

If you are just providing host, database name, database username and database password so they can setup access to specific database, what's the problem? they don't have login information to customer login through your host login page, to access any of the other databases, or anything else! its that specific database only. If they require access to a folder on the server, you just provide ftp account to access that folder only, so they can upload wordpress, they would only have login information to access the wordpress site, which would only give details of that specific database, and tables within it only, nothing else.

[justsomeguy]

It sounds a little weird that you're hosting sites for people and you don't know whether or not it's a good idea to give out login information or how to isolate users. Are you sure you want to be in the hosting business?