New to this: what about security?

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
stealthkk
Forum Newbie
Posts: 2
Joined: Sat Jan 31, 2004 6:44 pm
Contact:

New to this: what about security?

Post by stealthkk »

I have a question concerning Mysql security.
I have set up mysql, php, and php-nuke on a server and its working great.
The setup program defaulted my sql admin to root:(blank pw)
even if i change the pw to something secure, whats to stop someone from going to my site, looking in the config.php file, and using the specified username="" and password="" fields to fish around or destroy my database? How does this work and how can i make it secure?
thanks in advance :)
-Kris
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

First you change the password for your mysql root account.

Then you create a mysql-account that has only rights on the database that phpnuke is using.

Then you put the config.inc.php or whatever file outside the public_html directory. This way, if apache+php is broken, a regular surfer won't be able to request the unparsed file.

This still allows local users (at least the user nobody/www-data that runs the webserver) to read your file... (But those can be found easily by your webhost)
stealthkk
Forum Newbie
Posts: 2
Joined: Sat Jan 31, 2004 6:44 pm
Contact:

Security

Post by stealthkk »

Thanks man! thats a good idea. I wonder why the default install (ie. if one didnt know that) wouldnt protect against that?
Thanks anyway for the help :)
Post Reply