On Wed, 2004-01-14 at 13:32, Chris W wrote: > Are there many php or mysql configuration considerations for making the > site secure? I have already done the obvious with my sql and set up the > grant tables with passwords for all users and removed the [EMAIL PROTECTED] user.
Give the MySQL user you're using only the minimum permissions. I doubt your web app will need to ALTER table structures for example. I like to use privilege separation. In my code I have different MySQL users with different permission. One might have read-write access (SELECT, INSERT, UPDATE etc.) and another has read-only. I then use these users appropriately throughout my code. For example, a script that searches a table uses the read-only user. Then no matter how clever the attacker is, they won't be able to DELETE all my data by exploiting that code. John. -- GPG: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 URL: http://www.johnleach.co.uk
signature.asc
Description: This is a digitally signed message part
