Jump to content

Paul

Members
  • Posts

    36
  • Joined

  • Last visited

Contact Methods

  • AIM
    PaulChiesman
  • MSN
    PaulChiesman
  • Website URL
    http://www.villagebistro.info
  • ICQ
    0

Profile Information

  • Location
    Melbourne, FL

Paul's Achievements

Contributor

Contributor (5/14)

  • First Post
  • Collaborator
  • Conversation Starter
  • Week One Done
  • One Month Later

Recent Badges

0

Reputation

  1. I consider the ability to "DROP" a table a pretty special privilege, and that's exactly what I'm trying to keep certain user's from doing This is just a general security issue, not geared to any single application. Again the point is, the script has to have a username/password, that's a given, what I don't want to have happen is, through some hole that I missed in my code, someone entering the sql query code that would drop the table. Yes, it would be my fault for now 'safety-checking' all user input but it would sure be nice if I knew that the username/password that was logging into the Db didn't have the permissions to do it at all, that's all. Again, not a major motion-picture, just worrisome. Later, Paul
  2. Thanks for the comments Rayners and Lianna. First your point Rayners ... actually all the scripts ask you to modify the configuration file to reflect the username, password and database name (or preface) that the script is to use to create and maintain the database. Now this is a certain level of security of course, since the only databases that can be accessed with that password are the one's that have been created by the application or program. My situation is this, I have a database with about 40 tables in it. The application I'm creating has a username/password that allows access to the database and all associated tables. Now "in theory" this password is stored in $_SESSION variables which should never be accessible to the users. Keyword here is "theory." My concern is that if some evil person somehow gained access to the raw PHP source to the application (don't ask me how it could be done, I'm not a cracker and have no desire to be one), that person would now have the ability to directly access the database and do whatever they wanted to do to the tables. Mind you, my application is far from a "top secret" type thing, but it is going to be a fairly sophisticated and database intensive system and I want to protect my data as much as possible. My goal in life was to have a username/password that would allow all the normal Db operations necessary but could be restricted from operations like "EMPTY" or "DROP" and such. I know it can be done in mySql but not the way it's set up right now. I guess the point is this, the reason we can't do what I'd like to do is *probably* that in order for us to do it, TCH would have to allow each of us "full" privleges to the 'user' database, the same privleges we have to give the users to access to our databases. (Did that make sense to anyone else? LOL) It's probably a moot point, I doubt that anyone is going to find my site valuable enough to justify breaking in. If I ever do carry super sensitive information I'll be much more concerned and probably be forced to going to a dedicated server to get full administrative privileges. Anyway, that's just my thinking on the issue. Later, Paul
  3. well I got asked so I'll answer ... I don't think it can be done I've played with it since I found the information in the documentation but it appears that we need to have access to a secured database which we just don't have. The only thing I can think of regarding Lianna's being able to use the GRANT statement is that she has some kind of 'superuser' access that we don't . I am probably missing something incredibly obvious here so if anyone, anywhere has a sample script that has successfully run on the TCH user account PLEASE post it. I'm very uncomfortable putting a 'master' password in my php scripts but so far I haven't found a way around it. I know this doesn't help but maybe it will inspire the head guru to jump in with some ideas on how to secure the databases, or explain why it's not necessary. Thanks in advance for any input on this issue! Later, Paul
  4. Paul

    Phpmyadmin

    Rayners you could very well be correct. The only reason I tend to think it's pretty straight forward to upgrade is that the link on cpanel is just that, a link to a whole new world. I may be very wrong but it wouldn't make sense to have all the functionality of cPanel embedding somehow in the cPanel code. Just my thoughts though, we'll have to wait and see But thanks for paying attention anyway LOL Later, Paul
  5. Paul

    Phpmyadmin

    Not sure where this should be posted so I'll post it here and see what happens. There is a new version of phpMyAdmin in general release now, version 2.4.0, and I was wondering when, and if, TCH was planning on upgrading the servers. If it's an issue I can just install it in my own webspace but thought I'd save myself the "learning" loop if you kind, wonderful, understanding, patient, all-knowing guru's were planning on the upgrade in the near future Thanks in advance, Paul
  6. Paul

    Php.ini

    ROFLMAO well just as a side note, it's probably best NOT to add an auto prepend file to your configuration prior to uploading the damn thing! hehehehehe I'm sure glad I'm playing in a "work" directory! Later, Paul
  7. Paul

    Php.ini

    LOL oh well as lianna mentioned in my previous question .. worst case the wonderfolks at totalchoice can always reset my entire site if I mess up too bad Thanks, Paul
  8. Paul

    Php.ini

    Okay Rayners, I've looked at the library I'm trying to install (phpLIB) and the php documentation and *think* I've figured out how to do this, now I'm just not sure where to do it. I think if I add the following lines of code to the .htaccess file in the public_html folder of my site it should work. What do you think? Any comments would be appreciated Thanks, Paul <IfModule mod_php4.c> php_value include_path ".:/usr/local/lib/php:/home/xxxxxxxxx/lib/php/includes/phplib/" php_value auto_prepend_file "/home/xxxxxxxxx/lib/php/includes/phplib/prepend.php3" </IfModule>
  9. Paul

    Php.ini

    LOL Rayners you be da' man! I've been in that manual all morning and missed that Thanks again Later, Paul
  10. Paul

    Php.ini

    Subject pretty much says it all Thanks in advance, Paul
  11. Watch it KW I'm already in Florida LOL ... Beachside of Melbourne, where are you? Later, Paul
  12. LOL adding my new favorite: If all else fails, post on the totalchoice forums Thanks again all! Later, Paul
  13. Thanks for the responses folks! after a full night's sleep and allowing the scotch to be absorbed I decided to try something revolutionary ... I looked at the mySQL documentation Lo and behold, there's an SQL command "GRANT" that will do anything I wanted to do (insert pic of Paul doing the snoopy happy-dance here) ... Thanks again, I'm sure there will be many more questions to follow as I manage to mangle a perfectly good web-account ! Later, Paul
  14. Is there anyway to set up different security 'levels' for use with PHP in accessing a database? My scripts are working okay but I'd like to be able to use a password and username that doesn't allow for some operations, i.e. drop table LOL ... it seems to be a pretty logical request but I'm darned if I can find any information on setting security levels on the username level. Thanks in advance for any help (*sigh* again) Later, Paul
  15. Just to close out this thread, and to let future reader's know, Lianna and Nick managed to track my problem down. It turned out that it was indeed a scripting error and I now sit here with mucho egg on my face! The support here is truly awesome and they went way "above and beyond" to give me a hand! Didn't want anyone to think I was left hanging here, not at all the case! Thanks to all, Paul
×
×
  • Create New...