Page 1 of 1

New to this: what about security?

Posted: Sat Jan 31, 2004 6:44 pm
by stealthkk
I have a question concerning Mysql security.
I have set up mysql, php, and php-nuke on a server and its working great.
The setup program defaulted my sql admin to root:(blank pw)
even if i change the pw to something secure, whats to stop someone from going to my site, looking in the config.php file, and using the specified username="" and password="" fields to fish around or destroy my database? How does this work and how can i make it secure?
thanks in advance :)
-Kris

Posted: Sat Jan 31, 2004 10:48 pm
by timvw
First you change the password for your mysql root account.

Then you create a mysql-account that has only rights on the database that phpnuke is using.

Then you put the config.inc.php or whatever file outside the public_html directory. This way, if apache+php is broken, a regular surfer won't be able to request the unparsed file.

This still allows local users (at least the user nobody/www-data that runs the webserver) to read your file... (But those can be found easily by your webhost)

Security

Posted: Sun Feb 01, 2004 2:07 pm
by stealthkk
Thanks man! thats a good idea. I wonder why the default install (ie. if one didnt know that) wouldnt protect against that?
Thanks anyway for the help :)