Re: [PHP-DB] Given only one mySQL user account by Host Company
Without the ability to update the database "mysql", your suggestion doesn't
work.
Just to confirm, here is a quick check to perform locally.
1. Log in as root.
2. Create DB "test" and user "test" with all privileges with grant option on only database "test".
(grant all privileges on test.* to 'test'@'localhost' identified by 'password' with grant option;)
3. Log out and reconnect with userid 'test'. Note that your top level db is now "test".
4. Create a table "testtable" in db "test"
5. Attempt to create new user "foo" with (any) privileges on test.testtable.
You will receive the following error message: "Error Code : 1044
Access denied for user: '[EMAIL PROTECTED]' to database 'mysql'"
Shay is in the same boat as user "test."
Doug
Bastien Koert wrote:
Another thought on this:
Even though you don't have access via phpmyadmin to get to the users
table, could you try to create users/grant privileges via straight sql
thur the PMA sql window?
ie
grant select, insert, update to 'bob'@'localhost' on mysql.users
indentified by password('my_pass');
bastien
From: Doug Thompson <[EMAIL PROTECTED]>
To: Shay <[EMAIL PROTECTED]>
CC: php-db@lists.php.net
Subject: Re: [PHP-DB] Given only one mySQL user account by Host Company
Date: Sun, 23 Jan 2005 15:51:41 -0700
Shay wrote:
Yes they gave me phpMyAdmin to use, and no, I have no access to the
user/privilege table. So the only way to output database entries is
to connect with the single super account they gave me.
Principally, this means you cannot allocate user accounts for mysql.
No big deal unless you have a business model that calls for that. In
which case, refer to my first comment in my original reply.
I have a question about what you said Doug:
Use INCLUDEs for the login portions of the script(s) and place them
in a protected directory. If >you are unable to protect directories
(.htaccess) with this host, they are begging for trouble and
>victimizing their subscribers.
In other words, call on an external function to connect to the
database, and place the file with this function in a directory that
is .htaccess protected. Is this correct? I do have a separate file
with a database connect function that all the pages on my site use, I
just don't have it in a .htaccess protected directory.
Exactly right. The objective is to make it more difficult to hack the
mysql login info.
Doug
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Another thought on this:
Even though you don't have access via phpmyadmin to get to the users table,
could you try to create users/grant privileges via straight sql thur the PMA
sql window?
ie
grant select, insert, update to 'bob'@'localhost' on mysql.users indentified
by password('my_pass');
bastien
From: Doug Thompson <[EMAIL PROTECTED]>
To: Shay <[EMAIL PROTECTED]>
CC: php-db@lists.php.net
Subject: Re: [PHP-DB] Given only one mySQL user account by Host Company
Date: Sun, 23 Jan 2005 15:51:41 -0700
Shay wrote:
Yes they gave me phpMyAdmin to use, and no, I have no access to the
user/privilege table. So the only way to output database entries is to
connect with the single super account they gave me.
Principally, this means you cannot allocate user accounts for mysql. No
big deal unless you have a business model that calls for that. In which
case, refer to my first comment in my original reply.
I have a question about what you said Doug:
Use INCLUDEs for the login portions of the script(s) and place them in a
protected directory. If >you are unable to protect directories
(.htaccess) with this host, they are begging for trouble and >victimizing
their subscribers.
In other words, call on an external function to connect to the database,
and place the file with this function in a directory that is .htaccess
protected. Is this correct? I do have a separate file with a database
connect function that all the pages on my site use, I just don't have it
in a .htaccess protected directory.
Exactly right. The objective is to make it more difficult to hack the mysql
login info.
Doug
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
--- Doug Thompson <[EMAIL PROTECTED]> wrote: > > Shay wrote: > > Yes they gave me phpMyAdmin to use, and no, I have > no access to the > > user/privilege table. So the only way to output > database entries is to > > connect with the single super account they gave > me. > > > I find this unusual. I'm on a shared host, and don't have access to the admin "MYSQL", but I can set up users for my databases, and grant any and all privelages to the users for those databases. I think it would send up a red flag if only one account was allowed , that being the superuser i.e. all privelages. Stuart -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Shay wrote: Yes they gave me phpMyAdmin to use, and no, I have no access to the user/privilege table. So the only way to output database entries is to connect with the single super account they gave me. Principally, this means you cannot allocate user accounts for mysql. No big deal unless you have a business model that calls for that. In which case, refer to my first comment in my original reply. I have a question about what you said Doug: Use INCLUDEs for the login portions of the script(s) and place them in a protected directory. If >you are unable to protect directories (.htaccess) with this host, they are begging for trouble and >victimizing their subscribers. In other words, call on an external function to connect to the database, and place the file with this function in a directory that is .htaccess protected. Is this correct? I do have a separate file with a database connect function that all the pages on my site use, I just don't have it in a .htaccess protected directory. Exactly right. The objective is to make it more difficult to hack the mysql login info. Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Yes they gave me phpMyAdmin to use, and no, I have no access to the user/privilege table. So the only way to output database entries is to connect with the single super account they gave me. I have a question about what you said Doug: >Use INCLUDEs for the login portions of the script(s) and place them in a >protected directory. If >you are unable to protect directories (.htaccess) >with this host, they are begging for trouble and >victimizing their >subscribers. In other words, call on an external function to connect to the database, and place the file with this function in a directory that is .htaccess protected. Is this correct? I do have a separate file with a database connect function that all the pages on my site use, I just don't have it in a .htaccess protected directory. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Shay definitely has bad hosting.
the guy wants a seperate mysql user with readonly privileges on his DB which
is good practice. only ...
his hostingco. has given him a single DB and a single user a/c. no doubt they
manage
their system via a webinterface - when every they add a customer, they check the
box marked "add MySQL DB to hosting package" and click go.
I bet that Shay does not have access to the MySQL system tables - like he said,
the user a/c he has been given any grant privileges (at least that what I think
he meant)
Bastien Koert wrote:
What admin tools do you have for the db? PhpMyAdmin? something else?
Many of those can be used to create additional user accounts with more
limited restricitions.
Bastien
From: "Shay" <[EMAIL PROTECTED]>
Reply-To: "Shay" <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: [PHP-DB] Given only one mySQL user account by Host Company
Date: Sun, 23 Jan 2005 03:03:26 -0700
My hosting company gave me one database and one root user account, and I
have no access for priviliges at all. So as far as I can tell, the
only way
for me to connect to the database on my site is to do a
mysql_connect("host", "user", "pass"), where the user and pass are the
ones
for this one super account.
Is this a major security concern or what? Is there a way around this,
or a
way to minimize security problems? I've emailed them about this, and they
act like they have no clue what I'm talking about:
>I'm not trying to hide files or directories, I'm talking about when I
use
>PHP and make a connection to the database using mysql_connect("host",
>"user", "pass"). This script is what is in my webpages that connects
to the
>DB and retrieves data to print for users. Is there an anonymous
account to
>use for retrieving data, or can I make one?
>
Then the program or script you are using should have means
for your users to access permitted areas. And there is no
anonymous account, there is only your own account Db
Now. Hosting company provide your site with tool for you to use your
own programs and it's up to you which programs and how you use them.
Our job is to make sure the tool is working. Other than that, we do not
provide support for scripts and the programs you are using.
If you having problems to use some programs then you need to get
in touch with developers and find what need to be done and how.
boilerplate idiots.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Given only one mySQL user account by Host Company
What admin tools do you have for the db? PhpMyAdmin? something else? Many of
those can be used to create additional user accounts with more limited
restricitions.
Bastien
From: "Shay" <[EMAIL PROTECTED]>
Reply-To: "Shay" <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: [PHP-DB] Given only one mySQL user account by Host Company
Date: Sun, 23 Jan 2005 03:03:26 -0700
My hosting company gave me one database and one root user account, and I
have no access for priviliges at all. So as far as I can tell, the only way
for me to connect to the database on my site is to do a
mysql_connect("host", "user", "pass"), where the user and pass are the ones
for this one super account.
Is this a major security concern or what? Is there a way around this, or a
way to minimize security problems? I've emailed them about this, and they
act like they have no clue what I'm talking about:
>I'm not trying to hide files or directories, I'm talking about when I use
>PHP and make a connection to the database using mysql_connect("host",
>"user", "pass"). This script is what is in my webpages that connects to
the
>DB and retrieves data to print for users. Is there an anonymous account
to
>use for retrieving data, or can I make one?
>
Then the program or script you are using should have means
for your users to access permitted areas. And there is no
anonymous account, there is only your own account Db
Now. Hosting company provide your site with tool for you to use your
own programs and it's up to you which programs and how you use them.
Our job is to make sure the tool is working. Other than that, we do not
provide support for scripts and the programs you are using.
If you having problems to use some programs then you need to get
in touch with developers and find what need to be done and how.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Simple _complete_ solution: Find a different hosting company that provides a
virtual server and root access to everything about your account. Cost should
be nominal, but probably not free.
Simple _partial_ solution: Use INCLUDEs for the login portions of the
script(s) and place them in a protected directory. If you are unable to
protect directories (.htaccess) with this host, they are begging for trouble
and victimizing their subscribers.
Simple _lack of a_ solution: Don't put anything on this site that anyone cares
about protecting.
If that all sounds obvious, it's supposed to.
Doug
Shay wrote:
My hosting company gave me one database and one root user account, and I
have no access for priviliges at all. So as far as I can tell, the only way
for me to connect to the database on my site is to do a
mysql_connect("host", "user", "pass"), where the user and pass are the ones
for this one super account.
Is this a major security concern or what? Is there a way around this, or a
way to minimize security problems? I've emailed them about this, and they
act like they have no clue what I'm talking about:
I'm not trying to hide files or directories, I'm talking about when I use
PHP and make a connection to the database using mysql_connect("host",
"user", "pass"). This script is what is in my webpages that connects to the
DB and retrieves data to print for users. Is there an anonymous account to
use for retrieving data, or can I make one?
Then the program or script you are using should have means
for your users to access permitted areas. And there is no
anonymous account, there is only your own account Db
Now. Hosting company provide your site with tool for you to use your
own programs and it's up to you which programs and how you use them.
Our job is to make sure the tool is working. Other than that, we do not
provide support for scripts and the programs you are using.
If you having problems to use some programs then you need to get
in touch with developers and find what need to be done and how.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
