What's more of the details / reasons for this?On a live production site you should have at least 3 seperate database users .. one that only has select privs for the general pages that just get data from the database, one that has insert and update privs on the tables that are modified through the front end (registration pages, checkout pages, etc), and one from back end admin pages.
DB Users and Security
Moderator: General Moderators
DB Users and Security
i was reading onion2K's comments on a different topic (viewtopic.php?t=42126) about having three different db users...
Defense in depth, if a page get's compromised and all that page is doing is selecting data. and the mysql user that page is using only has select privileges, the worst the malicious user could do is select stuff. Although your scripts should already prevent against things that would even allow someone to cause a delete statement on a page that is selecting data, tell me this:
what is the disadvantage to multiple users?
it can only help..
what is the disadvantage to multiple users?
it can only help..
My question isn't so much why you would have them, more of the application of them... i don't understand exactly how they would be employed...
Would you use a different user for the pages that process form information and a separate one for the main pages that don't do form processing? and the third wouldn't show up except in backend maintenance?
Would you use a different user for the pages that process form information and a separate one for the main pages that don't do form processing? and the third wouldn't show up except in backend maintenance?
Imagine your database is called "shop", and you set up one user called "shop_user". To connect to the db you'd use:Zoram wrote:My question isn't so much why you would have them, more of the application of them... i don't understand exactly how they would be employed...
Would you use a different user for the pages that process form information and a separate one for the main pages that don't do form processing? and the third wouldn't show up except in backend maintenance?
Code: Select all
$database = mysql_connect("localhost","shop_user","password");
mysql_select_db($database,"shop");If you created three database users then any bug that someone found would still be able to issue commands to the database but only with the privs held by the database user of the script the bug exploited. In a general listing page you'd use a user called, for example, "shop_general":
Code: Select all
$database_general = mysql_connect("localhost","shop_general","password");
mysql_select_db($database_general,"shop");If you use more than one database user and your script is connected with two users in the same page you need to remember to specify the database connection in your mysql_query() commands:
Code: Select all
mysql_query("select * from table",$database_general);Is there anything special that you have to do in order to use multiple connectiions to one database?
I tried to establish two separate connections to the same db but it won't execute when i do so.
But when i try to use the $dbSelect Connection it fails what do you need to do in order to use the same db with multiple connections?
I tried to establish two separate connections to the same db but it won't execute when i do so.
Code: Select all
// Select Connection
$dbSelect = mysql_connect($dbHost, $dbUserSelect, $dbPassSelect) or die("Could not connect to Database, try again later.");
mysql_select_db($dbName, $dbSelect) or die("Could not select to Database, try again later.");
// Edit Connection
$dbEdit = mysql_pconnect($dbHost, $dbUserEdit, $dbPassEdit) or die("Could not connect to Database, try again later.");
mysql_select_db($dbName, $dbEdit) or die("Could not select to Database, try again later.");When you query you have to specify your connection handle:
You could also specify a new link in your connection call:resource mysql_query ( string query [, resource link_identifier] )
hope that helps.....
resource mysql_connect ( [string server [, string username [, string password [, bool new_link [, int client_flags]]]]] )