Re: [PHP-DB] Given only one mySQL user account by Host Company
Without the ability to update the database "mysql", your suggestion doesn't work. Just to confirm, here is a quick check to perform locally. 1. Log in as root. 2. Create DB "test" and user "test" with all privileges with grant option on only database "test". (grant all privileges on test.* to 'test'@'localhost' identified by 'password' with grant option;) 3. Log out and reconnect with userid 'test'. Note that your top level db is now "test". 4. Create a table "testtable" in db "test" 5. Attempt to create new user "foo" with (any) privileges on test.testtable. You will receive the following error message: "Error Code : 1044 Access denied for user: '[EMAIL PROTECTED]' to database 'mysql'" Shay is in the same boat as user "test." Doug Bastien Koert wrote: Another thought on this: Even though you don't have access via phpmyadmin to get to the users table, could you try to create users/grant privileges via straight sql thur the PMA sql window? ie grant select, insert, update to 'bob'@'localhost' on mysql.users indentified by password('my_pass'); bastien From: Doug Thompson <[EMAIL PROTECTED]> To: Shay <[EMAIL PROTECTED]> CC: php-db@lists.php.net Subject: Re: [PHP-DB] Given only one mySQL user account by Host Company Date: Sun, 23 Jan 2005 15:51:41 -0700 Shay wrote: Yes they gave me phpMyAdmin to use, and no, I have no access to the user/privilege table. So the only way to output database entries is to connect with the single super account they gave me. Principally, this means you cannot allocate user accounts for mysql. No big deal unless you have a business model that calls for that. In which case, refer to my first comment in my original reply. I have a question about what you said Doug: Use INCLUDEs for the login portions of the script(s) and place them in a protected directory. If >you are unable to protect directories (.htaccess) with this host, they are begging for trouble and >victimizing their subscribers. In other words, call on an external function to connect to the database, and place the file with this function in a directory that is .htaccess protected. Is this correct? I do have a separate file with a database connect function that all the pages on my site use, I just don't have it in a .htaccess protected directory. Exactly right. The objective is to make it more difficult to hack the mysql login info. Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Another thought on this: Even though you don't have access via phpmyadmin to get to the users table, could you try to create users/grant privileges via straight sql thur the PMA sql window? ie grant select, insert, update to 'bob'@'localhost' on mysql.users indentified by password('my_pass'); bastien From: Doug Thompson <[EMAIL PROTECTED]> To: Shay <[EMAIL PROTECTED]> CC: php-db@lists.php.net Subject: Re: [PHP-DB] Given only one mySQL user account by Host Company Date: Sun, 23 Jan 2005 15:51:41 -0700 Shay wrote: Yes they gave me phpMyAdmin to use, and no, I have no access to the user/privilege table. So the only way to output database entries is to connect with the single super account they gave me. Principally, this means you cannot allocate user accounts for mysql. No big deal unless you have a business model that calls for that. In which case, refer to my first comment in my original reply. I have a question about what you said Doug: Use INCLUDEs for the login portions of the script(s) and place them in a protected directory. If >you are unable to protect directories (.htaccess) with this host, they are begging for trouble and >victimizing their subscribers. In other words, call on an external function to connect to the database, and place the file with this function in a directory that is .htaccess protected. Is this correct? I do have a separate file with a database connect function that all the pages on my site use, I just don't have it in a .htaccess protected directory. Exactly right. The objective is to make it more difficult to hack the mysql login info. Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
--- Doug Thompson <[EMAIL PROTECTED]> wrote: > > Shay wrote: > > Yes they gave me phpMyAdmin to use, and no, I have > no access to the > > user/privilege table. So the only way to output > database entries is to > > connect with the single super account they gave > me. > > > I find this unusual. I'm on a shared host, and don't have access to the admin "MYSQL", but I can set up users for my databases, and grant any and all privelages to the users for those databases. I think it would send up a red flag if only one account was allowed , that being the superuser i.e. all privelages. Stuart -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Shay wrote: Yes they gave me phpMyAdmin to use, and no, I have no access to the user/privilege table. So the only way to output database entries is to connect with the single super account they gave me. Principally, this means you cannot allocate user accounts for mysql. No big deal unless you have a business model that calls for that. In which case, refer to my first comment in my original reply. I have a question about what you said Doug: Use INCLUDEs for the login portions of the script(s) and place them in a protected directory. If >you are unable to protect directories (.htaccess) with this host, they are begging for trouble and >victimizing their subscribers. In other words, call on an external function to connect to the database, and place the file with this function in a directory that is .htaccess protected. Is this correct? I do have a separate file with a database connect function that all the pages on my site use, I just don't have it in a .htaccess protected directory. Exactly right. The objective is to make it more difficult to hack the mysql login info. Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Yes they gave me phpMyAdmin to use, and no, I have no access to the user/privilege table. So the only way to output database entries is to connect with the single super account they gave me. I have a question about what you said Doug: >Use INCLUDEs for the login portions of the script(s) and place them in a >protected directory. If >you are unable to protect directories (.htaccess) >with this host, they are begging for trouble and >victimizing their >subscribers. In other words, call on an external function to connect to the database, and place the file with this function in a directory that is .htaccess protected. Is this correct? I do have a separate file with a database connect function that all the pages on my site use, I just don't have it in a .htaccess protected directory. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Shay definitely has bad hosting. the guy wants a seperate mysql user with readonly privileges on his DB which is good practice. only ... his hostingco. has given him a single DB and a single user a/c. no doubt they manage their system via a webinterface - when every they add a customer, they check the box marked "add MySQL DB to hosting package" and click go. I bet that Shay does not have access to the MySQL system tables - like he said, the user a/c he has been given any grant privileges (at least that what I think he meant) Bastien Koert wrote: What admin tools do you have for the db? PhpMyAdmin? something else? Many of those can be used to create additional user accounts with more limited restricitions. Bastien From: "Shay" <[EMAIL PROTECTED]> Reply-To: "Shay" <[EMAIL PROTECTED]> To: php-db@lists.php.net Subject: [PHP-DB] Given only one mySQL user account by Host Company Date: Sun, 23 Jan 2005 03:03:26 -0700 My hosting company gave me one database and one root user account, and I have no access for priviliges at all. So as far as I can tell, the only way for me to connect to the database on my site is to do a mysql_connect("host", "user", "pass"), where the user and pass are the ones for this one super account. Is this a major security concern or what? Is there a way around this, or a way to minimize security problems? I've emailed them about this, and they act like they have no clue what I'm talking about: >I'm not trying to hide files or directories, I'm talking about when I use >PHP and make a connection to the database using mysql_connect("host", >"user", "pass"). This script is what is in my webpages that connects to the >DB and retrieves data to print for users. Is there an anonymous account to >use for retrieving data, or can I make one? > Then the program or script you are using should have means for your users to access permitted areas. And there is no anonymous account, there is only your own account Db Now. Hosting company provide your site with tool for you to use your own programs and it's up to you which programs and how you use them. Our job is to make sure the tool is working. Other than that, we do not provide support for scripts and the programs you are using. If you having problems to use some programs then you need to get in touch with developers and find what need to be done and how. boilerplate idiots. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Given only one mySQL user account by Host Company
What admin tools do you have for the db? PhpMyAdmin? something else? Many of those can be used to create additional user accounts with more limited restricitions. Bastien From: "Shay" <[EMAIL PROTECTED]> Reply-To: "Shay" <[EMAIL PROTECTED]> To: php-db@lists.php.net Subject: [PHP-DB] Given only one mySQL user account by Host Company Date: Sun, 23 Jan 2005 03:03:26 -0700 My hosting company gave me one database and one root user account, and I have no access for priviliges at all. So as far as I can tell, the only way for me to connect to the database on my site is to do a mysql_connect("host", "user", "pass"), where the user and pass are the ones for this one super account. Is this a major security concern or what? Is there a way around this, or a way to minimize security problems? I've emailed them about this, and they act like they have no clue what I'm talking about: >I'm not trying to hide files or directories, I'm talking about when I use >PHP and make a connection to the database using mysql_connect("host", >"user", "pass"). This script is what is in my webpages that connects to the >DB and retrieves data to print for users. Is there an anonymous account to >use for retrieving data, or can I make one? > Then the program or script you are using should have means for your users to access permitted areas. And there is no anonymous account, there is only your own account Db Now. Hosting company provide your site with tool for you to use your own programs and it's up to you which programs and how you use them. Our job is to make sure the tool is working. Other than that, we do not provide support for scripts and the programs you are using. If you having problems to use some programs then you need to get in touch with developers and find what need to be done and how. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Given only one mySQL user account by Host Company
Simple _complete_ solution: Find a different hosting company that provides a virtual server and root access to everything about your account. Cost should be nominal, but probably not free. Simple _partial_ solution: Use INCLUDEs for the login portions of the script(s) and place them in a protected directory. If you are unable to protect directories (.htaccess) with this host, they are begging for trouble and victimizing their subscribers. Simple _lack of a_ solution: Don't put anything on this site that anyone cares about protecting. If that all sounds obvious, it's supposed to. Doug Shay wrote: My hosting company gave me one database and one root user account, and I have no access for priviliges at all. So as far as I can tell, the only way for me to connect to the database on my site is to do a mysql_connect("host", "user", "pass"), where the user and pass are the ones for this one super account. Is this a major security concern or what? Is there a way around this, or a way to minimize security problems? I've emailed them about this, and they act like they have no clue what I'm talking about: I'm not trying to hide files or directories, I'm talking about when I use PHP and make a connection to the database using mysql_connect("host", "user", "pass"). This script is what is in my webpages that connects to the DB and retrieves data to print for users. Is there an anonymous account to use for retrieving data, or can I make one? Then the program or script you are using should have means for your users to access permitted areas. And there is no anonymous account, there is only your own account Db Now. Hosting company provide your site with tool for you to use your own programs and it's up to you which programs and how you use them. Our job is to make sure the tool is working. Other than that, we do not provide support for scripts and the programs you are using. If you having problems to use some programs then you need to get in touch with developers and find what need to be done and how. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php