From: adam beecher (adam at domain iewebs.com)
Date: Wed 31 May 2000 - 14:30:19 IST
> categories. How the FffK did he do that. I wondered. So i can
> assume that either MySql is not very secure or my php page has a
> flaw somewhere.
>
Either or. MySQL isn't the best SQL server in the business, it's just easy to
setup and use, and it's cheap. You want secure and all the rest of it, you have
to buy Sybase or Oracle and ten servers to do it right. And PHP isn't the best
language in the world - someone pointed out the automatic "creation" of
variables recently as a pretty good example of an easy f**kup. You just have to
weigh up ease of use against the possible problems, and try and foresee those
problems. I've had to have a wee look around my scripts since that posting.
Luckily I use for() loops instead of while(), so I was ok. :)
I reckon you poke around your scripts though, and see if you've left anything in
the open. I've done it meself - left "setup" scripts in DocumentRoot and that -
it's too easy to do. Check to see if your MySQL username and password are
protected - keep them below DocumentRoot if at all possible. Also check your
MySQL permissions - make sure that the user you've set up with access to the DB
*only* has access to the DB and tables required, and only with the actions
required. It's easy to set it up with the root user while testing, and just as
easy to forget to change it. If it *was* in there, change the password.
But you probably knew all that. :)
adam
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:06:19 GMT