Christopher G Tantalo [EMAIL PROTECTED] wrote:
>    This is an off-topic question, so please excuse this.  I am using a 
> cgi/dbi script to connect to a mysql database that I have set up on my 
> sparc 10, using Debian at home.  Now, I want to give people user 
> accounts to the database and not the system, but when I try to connect 
> as the user, it doesnt work, even though they are in the mysql.user 
> database.  (The command I used was "Grant ALL to <user name> on 
> <database name> identified by <password>").  Is this the right way to 
> get people set up?

Yeah, it takes some time to get the mysql users set up
with the right permissions - I've just been playing around
with this the last few weeks myself.  My guess is that your
GRANT isn't quite right yet.

p.426,427 of book "MySQL" by Paul DuBois describes these
grants:

  GRANT ALL ON *.* TO [EMAIL PROTECTED] IDENTIFIED BY "coffee"

*.*       - means all databases(1st *), all tables(.*)
ethel     - user
localhost - from this host

You can use wildcards.  For example, if you want to allow
user 'joe' to connect from any host, you could do

  GRANT ALL ON *.* TO joe@'%' IDENTIFIED BY "coffee"

Check the www.mysql.com website - read the docs on the
GRANT.

>   
>    And secondly, on the topic of being secure, having them connect by 
> typing in their username and password in a text input box using cgi/dbi 
> is fine?  Or should I look into using an HTTPS connection to have things 
> encrypted?

Personally I'd use
  1. there is a way to specify that an html tag is of
     type PASSWORD.  Using that type, the user will see
     asterisks appear for each character typed in to that
     field, and
  2. an HTTPS connection, which I believe means that you
     need to get(or setup) a certificate to place on your
     server.  I think(?) one place to get yourself a
     certificate is verisign - you might have to pay for it.

It's been quite a while since I've done user/password stuff
and although I've used a server that had https setup on it,
I wasn't the one to set it up - so take this with a grain of
salt.  Hopefully someone more knowledgable will either confirm
or deny what I've said.

One technique I've used in the past was to take the text
password the user typed in, and encrypt it, and store the
encrypted password in the database.  Then, when the user
comes to the site, types in the pw, you encrypt it(using
the same encryption method) and compare that to the value
stored in the db.  This gives some(small) measure of 
security in case someone broke into your database - the
passwords in the db are not plain text.

HTH.
-- 
Hardy Merrill
Red Hat, Inc.

Reply via email to