URGENT SECURITY ISSUE
I have a .asp application in which certain parts, clients can now
edit/update/add information to their records in our DB.
I basically use an include statement at the top of each page. The
include .asp page has my connection data within .asp tags. The general
'user' to which the connection belongs only has 'select' facilities
within the db.
If I now want to let a client update/delete/add information, then
surely giving them access to Update/Delete & Add is very high risk ?.
If they manage to gain access to our Username & password, then they
could delete all our information ?.
What is the standard workaround for this scenario ?
View Complete Forum Thread with Replies
See Related Forum Messages: Follow the Links Below to View Complete Thread
Security Issue
I have just installed MySQL on my PC as part of Wamp5, with the idea learning about how to operate a database and intergrate it with my websites. When I open the phpMyAdmin first page there is a warning. "Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole." What is this referring to? and how do I "fix the hole" Thanks. Life...It's difficult not to take it personally.
Security Issue
still new to mysql and this is my first post. i am using mysql on windows xp home machine, and i've noticed that i can open the mysql user table in notepad and although there is a lot of garbage text in it, the username and encrypted password are clearly within the garbage text. have i done something wrong in my admin/install, or is this the way it is supposed to work?
Security Issue When Using PhpMyAdmin
I have installed phpMyAdmin to work with my database. But phpMyAdmin requires me to change my userID and password in the configuration file so that it can connect to MySQL. That file can be opened with any text editor. Wouldn't it be very easy for anyone to access that file and know my MySQL password? Is there any way of protecting my password? I'm using my machine as a testing server.
SECURITY ISSUE On MySQL Users ?
I have a .asp application in which certain parts, clients can now edit/update/add information to their records in our DB. I basically use an include statement at the top of each page. The include .asp page has my connection data within .asp tags. The general 'user' to which the connection belongs only has 'select' facilities within the db. If I now want to let a client update/delete/add information, then surely giving them access to Update/Delete & Add is very high risk ?. If they manage to gain access to our Username & password, then they could delete all our information ?.
Hi, Need Urgent Help On Sql Select Statement
I have two tables that stores product details which is carinfo and products.I did it in 2 separate tables as the products are by diffrent category and therefore the fields are different. I'm not sure if that was the correct way doing it coz i seem to have problem now. The problem is,each product purchased are stored in a order table and that table only stores the product ID. The items in the first two table which is carinfo and products, have both unique ID like p1 and c1. My problem now is when i'm trying to get the product information of item in order table i need to check if that is from product table or carinfo. Coz i wanted to generate a report that will list the item in order table together with the items information. The sql i use is "select p.productid,p.prodname,p.proddescription,c.productid,c.prodname,c.proddescription from carinfo c,product p where p.productid='p14' or c.productID='p14' group by p.productid,p.prodname,p.proddescription,c.productid,c.prodname,c.proddescription" You can view th example results here. http://www.ineers.com/meg/error.JPG the results i get are the product information of the item if its in product table,but the quesry also results to list all the product name in carinfo table. I hope my question is clear. Its urgent and i've been breaking my head thinking how to solve this without having to change my database design which is to combine both carinfo and product table as one.
Urgent Select Statement
I have two tables Table 1 named Alan1 alan1_id | alan1_name | alan1_gtip 1 | bruce | 12 2 | brad | 13 Table 2 named Alan2 alan2_id | alan2_name | alan2_gtip 1 | lee | [12] 2 | pitt | [13] I have been trying to join these tables using like or other commands to obtaion the rows like this. But i could not get over the [ ] in the second table by sql. 1 bruce lee 12 2 brad pit 13
URGENT: Please Help Me With My ON DUPLICATE KEY UPDATE Query
Could you please help me do this quickly. I have a query: Quote: mysql_query("INSERT INTO products (id, title, brand) SELECT id, title, brand FROM prodse WHERE approved=1 ON DUPLICATE KEY UPDATE groupname=a") What I need it to do is that whne title and brand matches, it is then a duplicate listing. I have set up the unique key for this. When a duplicate listing is found it will then change the groupname value from "1" and update it with "a". When it then finds the next duplicate listing that has the same title and brand as the duplicate listing that had it's groupname changes to "a", I need it to be change to "b" this time. So I now have two listings that have a groupname of "a" and "b". Now when there is more duplicate listings that have the same title and brand as "a" and "b", I now need the groupname to be updated to the actual listings id and not use "a", "b", "c", etc... How can I do that. I know how I can do the first one so that it updates to 8, but then how would I do the 2nd and 3rd ones. Please help, I have to do this urgent as my database is really slow and it is damaging my site as it is taking about a minute or so to do each query. Also, I would prefer it if it could be done in one single query. I can also use variables in the query and if statements plus other php like Quote: mysql_query("INSERT INTO products (id, title, brand) SELECT id, title, brand FROM prodse WHERE approved=1 ON DUPLICATE KEY UPDATE groupname=$groupname")
Urgent - Load Sql Commands From Txt File
mysql -u root -p -D mydatabase < 'c:/sqlcommands.txt' All I ever get is the 'filename or volume' invalid, or something like that. It's not an issue with the path to the file, because I use c:/filename for other kinds of imports and it goes in fine. I urgently need to load some sql commands from this file else I have a lot of work to do.
How Can I Take Comma(,) As String In Mysql Query (was: Urgent)
how can i take comma(,) as string in mysql query.. actually i have a field value like (asd,sdf,asr,asf), (sdf,sdh,aqb), ...... now if someone searches for 'aq' then (sdf,sdh,aqb) value should be shown.. i think u guys got my point ...
Urgent Syntax Error In Importing .sql Files
I am trying to import .sql file which has create table and Insert table statements. I cannot use phpadmin as size of the file is too large. test is the databse and guestdb is the file whihc needs to be imported. I am giving command at sql prompt mysql> -u [username] -p test < c:/ ....guestdb.sql Error : there is error in sql server.
URGENT: Error 1316 On Install Of MySQL Connector/ODBC Driver 3.51
I have my Vice President's laptop and trying to install the ODBC drivers for reporting that he needs.. and am facing a time crunch. I'm getting the following error, which I've never run into before. I thought the setup file was corrupt, so I re-downloaded her from another mirror, but I get the same error. ERROR 1316. A network error occurred while attempting to read from the file C:DOCUME~1cbockLOCALS~1Tempmysql-connect or -odbc-3.51.12-win32.msi
Security
I installed mysql (OS: Window XP) Right now I can access to MySQL Database without username and password, how can I create a username and password? eg. In php, right now I can do this: connect($local_host); but I want it to be like this: connect ($local_host, $username, $password); Do I have to download any administrator software for that?
Security
I have a database where the major table has sets of rows created by each user - the row's author is indicated by holding the user's name in one of its columns. I want to restrict access to this table for each user (apart from a supervisor category) only to those rows which she has herself created.
Security Bug?
I have MySQL 4.1.3a and when I run this query, server crash with CPU using: 99%. WinXP SP1, 32 bit CPU I have no other problems with server ALTER TABLE `history`.`anniversaries` MODIFY COLUMN `event` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL; before `event` was greek
Security
I want to configure mysql server whith option "bind-address = 0.0.0.0" so a java application can connect to the server trought the internet. I'm not a security specialist, is this a big security issue? I'm using MySQL 4.0.24_Debian-10sarge2
Security
I am using MySql 4.0.14. I am trying to make use of some security functions that are posted in a MySQL book. The functions are: DES_ENCRYPT DES_DECRYPT ENCRYPT DECRYPT I have tried those functions with and without key strings. The just will not do anything. All they do is leave the field with a null value. They will not work for me. I am giving the following command: UPDATE myTable SET code = DES_ENCRYPT('thecode') It says it is a valid command.
Security
i was just wondering, would executing the following query (Grant all privilages on *.* to $host identified by ".$passwrod." with grant option) present any security concerns?
Security Msg
How do I fix this? The $cfg['PmaAbsoluteUri'] directive MUST be set in your configuration file! Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.
Question Of Security
I have a client that has a customer survey and rewards program that was written in Access with an ASP frontend. They have over 14000 records now and a query takes several minutes to run. My questions are: 1. How difficult/easy would it be to transfer to mySQL? 2. Is there helper applications to transfer it? 3. Would mySQL run the 14000+ records better than Access? 4. The client is very worried/paranoid about security, how can I ease that concern?
Is This A Security Attack ?
I have a remote server. So this morning when I was looking into the show processlist I saw 2 lines where the user is unauthenticated user " and the state is one is "Reading from net" and the other is "login". So what shall I do ? Is this an external hacker attack?
Security And Logs
There have been some problems with our server and things getting changed in mySQL, either via phpmyadmin or command line. Is there a logging tool that can keep track of sql commands, what commands were run and give the IP information?
Security Hazard
I installed the free version of mysql at my place. When I opened the console from the start menu, it would prompt me for the password. However if I type “mysql� in start->run it directly logs me in as the root with full access on the entire system. This did not happen with my friend who has also installed it. Does this happen with any one of you?
MySQL Security
I have been toying with the security aspect of MYSQL and there are a few things that I seem not to understand: Situation: I have created a user user@% with password pw, which if I understand correctly means he can log in from anywhere using his password. I only gave this person Select access (GRANT SELECT ...). According to the table "user", he is created correctly. Questions: 1) How come I can run other commands, like for example creating a table in a DB 2) How do I restrict "user@%" to only be able to do SELECT commands on a particular db (db_test) ?
Application Security
I would like to add client application security at the server end so it doesn't have to be embeded into each of the clients, just at/in the server. I have done a search of the Forum/NGs but can see no reference. Is it possible to access an external .dll from the server? The .dll would hold some security routines that could validate use, registration,etc. Obviously the .dll would have to be called by the server so the server would need to be 'called' to pass on the request. Is this possible? Alternativley, is it possible to embed routines in the server that can be locked and not got at by the normal tools?
Grants And Security
Most of the stuff I have previously done in MySQL has basically been on a server where everything was friendly :D Now I am having to code a site that shares MySQL with other sites, who should be considered to be potentially unfriendly ;) All I am asking, is, "what is the best way to" / "how do I" set this up? I mean, making sure that each site can only access it's own databases, and can still use phpMyAdmin, and so that the administrator can still see everything through phpMyAdmin. I have a feeling that phpMyAdmin will handle this stuff itself, and that all I have to do is set up the users etc. but I have no idea how to do this... If it helps, I am developing this for both Linux and Windows systems and so the code has to be interchangeable. I don't see that as a problem because surely we are only dealing with internal MySQL users here, and not system users...?
Security Mysql
I have built a software using php & mysql for a client. The mysql db too will be installed on the client's server. Apart from the normal tables, there is also 1 more table having some info abt the super user, ie, me (this is to give support to the client if at all the software crashes in the future). What i want is that my client should not be able to access this table or come to know that it exist at all(by using mysql query browser or smething else).
Security In My Databases
I am the root and I have 4 databases: 3 private and 1 public. I have a user (david), and I want david to access only the public database. We are using SQLYog frontend and I´ve tried a lot with grant and revoke commands, flush privileges, and others to avoid david watching any of the 3 private databases. When I try to log using david's login I'm able to watch everything in the 3 private databases. I don´t want david to watch neither structure nor data in any of the 3 databases.
Security Across The Internet
I am somewhat new to accessing a MySQL database across the internet. I would like to write a thin client that accesses the database on a remote site; however, I must be assured that the queries and - especially - the data returned is secure. IOW, I need to make sure that no prying eyes can spy on the data being returned to the application. What are your thoughts on this?
Security/behavior
I'm evaluating a project of mine to see if something would go wrong if a user started using the wrong character set, and I can't seem to determine from the MySQL manual what the behavior would be if a query attempted to insert a string with the wrong character set (including single byte and multibyte character sets). Would it treat each byte as if it were already part of the default character set? Or would it throw an error? How would it even know? I'm doing this with PHP so I know to use the "real escape" functions to escape the input, but I think it would still be good to know what is actually going on, and I don't have much experience with charsets/collations...
No Security Options
I have just downloded the "MySQL 4.1" and have got the package to install and have run through the various options but I never came to the setup for the initial password and user so when I run the dos window I get "Password"..... ( sits scratching his head looking at the screen ) Is there a fundimental step which I missed ( left all options as is on install ) and is there other programs that I will need to install to work with mysql for setting up websites ?
Account Security
I am about to produce a dynamic web site using PHP & MySql for a property management system. The users need to be able to log into an admin directory and then access the database with write permissions. In an attempt to improve security in a low tech way I thought - why not have one admin account that allows only to write and not to read and one admin account allowed only to read and not tow rite. In this event if a hacker was able to get at the account password details they woukd not be able to see what they were trying to write to and if the could see then they would not be able to write? i am aware of the potential of SQL injection attacks and how to prevent these.
Security In MySQL
Hi Guys, i am a n00b in MySql, i have a huge vBB running on it! my server is running port scan attacks. I am MCSE, but i do not know how to care about MySQL!
MySQL Security
I have set up a company and have registered for Data Protection Act in order to allow me to store information about potential customers of my website. I have my website hosted through a web host ( streamline.net ) and I have started to create a mySQL database in order to store customer details in it. I will then access the database automatically from one of the website pages - however, I am a little worried about security issues as obviously this page will contain the username and password for the mySQL database. I do not know much about web site hacking - but how can I ensure the details in my database are protected. The scripts i have written for access to the database are PHP scripts.
MySQL Security
Is there a white paper or documentation that explains the steps I need to take to secure a MySQL database outside the firewall? I would appreciate if someone would point me in the right direction.
MySQL Security
So lets say that somehow your mysql database directory info, port info, where your .cnf file is located, socket info, basedir and pid has all been listed in a processes list somehow on a website that is available to everyone... can someone use this information to do something malicious to your database? If so, how can they... and how can I protect myself?Something like this: system 27094 1 0 14:55 pts/1 00:00:00 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/mysqldata/confocal --pid-file=/mysqldata/confocal/confocal.pid --skip-locking --port=3326 --socket=/tmp/confocal.sock --log=/mysqldata/confocal/mysql-confocal.log --log-bin=/mysqldata/confocal/mysql-confoca --defaults-extra-file=/usr/local/mysql/data/my.cnf --
MySQL Security Of Data
Although I'm gradually getting the hang of working with MySql, can do a pretty mean query!! I realise I know nowt about security. Is security basically done outside MySQL ie with https:// and is it necessary/usual to have the database itself on a https server or just the code accessing it? Is there any level of security that can actually be applied at the mysql level, somebody in Usenet talked about RoT13 which is pretty feeble of course.
Safety Concern - SECURITY
Say you have a very simple MyIsam "table", 1 numeric field ("A_Field") and 1 record. Lets assume the value is already set to 0. Let us pretend 1000 queries are being sent at the same time (as simultaniously as computerly possible) and each is from 1000 different computers. Each query is like this: "UPDATE `table` SET `A_Field` = '#' WHERE `A_Field` =0 ;" # is the number of the computer that ran the query, so it would only be between 1 to 1000. Pardon the loose term, but will this type of simple update be treated as a "transaction"? (I know true transactions are only possible in BDB or InnoDB, im just using this word because it fits the scenario) Is it possible for more than 1 of the queries to update the field, or will 1 of the queries commit?
Integrated Table Security
I have a simple? project to display a web page consisting of job assignments, but need to lock down specific cells in the database table to the employee that the job is assigned to so that only he/she can edit certain cells. If you have a database table with the columns "employee", "Job", Status" then only management can edit the Employee and job column, but only the employee assigned in the "Employee" column can edit the status column for that "Job" row. Can anyone point me in the right direction?
Can't Apply Security Settings
I got MySQL5.0 working, turns out I forgot to remove my old data files. Here is my problem. I can install fine if I don't modify the security settings, but if I do modify them, it fails saying access was denied on the root account and not using a password. If I don't configure the security settings, I can't connect to it to admin it, either by command line or the GUI admin, it always says that access was denied. I'm not sure what to do now, I've reinstalled several times and the problem keeps commign back.
Security And Statement Advise
How secure is MySQL? I have been asked by a client to create a windows based application that will control / transfer / edit over HTTP. The data will be held on a MySQL server hosted on a standard IPSs server. I have been writing apps to do this for a while, but this client will be holding data that will be covered under the data protection act so they want to know how secure the data will be. So as a general rule how hard (or hopefully not easy) is MySQL to hack, or how secure is it when it can be accessed by external apps? Dose it just rely on the usernames and passwords? The second question, I want some advise on the best way to run a query. I have a list of product IDs, and I am trying to work out how many of each of the products was ordered between 2 dates, I have done the following but it take way to long to come back with the results as there could be up to 3000 products SELECT product, description, SUM(IF(product = 'productID1', `ord`, 0)) AS product1IDord, SUM(IF(product = 'productID2', `ord`, 0)) AS productID2ord, SUM(IF(product = 'productID3', `ord`, 0)) AS productID3ord, (.and so on but could be up to 3000 products) FROM theTable WHERE (timestamp >= '1234') AND (timestamp <= '9876') GROUP BY product ORDER BY product
MySQL Hardware And Security
It is my understanding the MySQL is a good back-end for either web services or client/ server databases. If I were to use MySQL as a backend for a client/ server database, where would it be installed? On a database server that is placed on the network correct? Also, does MySQL have a good security plan? What if I wanted to add some intrAnet web pages later on, could the back-end still be left on the database server? (I know I'd need some of the web server services added like Apache). Do you run a Linux or Windows platform on your back-end? We use activedirectory here, does that require windows based back-end? I want to build a case for MySQL, and these are the types of questions I expect. I know it has a huge performance advantage over all but Oracle (which it is close). But IT and management are skeptical of anything that does say "Microsoft" on the box.
Database Connectivity/Security
Ok... I've done enough web coding and security to know I am obviously missing something here. I understand the coding to connect to MySQL with PHP, and dictate which db and which username and password to connect to the db. My question is... "Isn't that dangerous to publish that critical data into a PHP file for everyone to see?" How is that hidden or am I totally missing something?
Password Database Security
Is it a safe idea to store and use a username and password out of a mySQL DB for logging into basic private pages? Does mySQL encrypt the table data if somehow specified? Is there a simpler way of doing this? without a DB?
PHP And Mysql-Security Mailinglist
I am administrating an sgi/apache webserver. Whether we will upgrade our website to contain a mysql-database and a php-module depends on the amount of administrative work necessary for maintenance (how many patches need to be applied per month). I searched the web, but I didn't find a list with all the security holes and patches for php and mysql. I search for something like the "SGI wiretap mailing list" or a similar thing on a webpage (list of all known bugs). Can anybody here show me such a list ?
Major Security Flaw
I wrote my first script from a tutorial which basically allows me to throw SQL queries at my db, no big deal. Ok so I made it and ran it on my server. My server is hosted space with different clients stuff on the same PC. so I run SHOW DATABASES. It shows me a list, apparently, of about 75 databases on the ENTIRE computer, it includes mine too. Is this bad? Should I be able to see this info or is my hosting provider leaving security open. Dare I try to access something about them to see if I am able to alter them, thusly them alter my db? Let me know if I am flipping out about nothing - this is like day one on php/mysql.
SQL Injection - MySQL Security Question
I protect against SQL injection attacks by casting all numeric values and running the appropriate escape-character function (in PHP, mysql_real_escape_string) on all non-numeric values. However I'm curious if I need to do any length checking on strings or bound-checking on numbers. Can that be used for buffer overflow or data corruption? Is that taken care of by setting the length of my fields, e.g., char(10)?
Security Question For User Permissions
I've had a site for half a year now, and I have this set up: 1 User with all permission to add/edit/delete etc. data 1 User with SELECT and INDEX permissions My question is do I need to make this (second) user to be secure? Because on my new site I want to my users(going to create user system) to be able to add comments and such and I don't want injections or etc. security hazards.
Security For Shared Server.xml Passwords
I have an ISP that has the server.xml in a shared environment. The server.xml file is where my password is available for database access under connection pooling. I really would like to use connection pooling. Does anyone know how I can protect my password from being viewed by others using the same server.xml file? I cannot get the administrator to change the protection of the file because others in the shared environment need to be able to view it.
|
TRACKER
