server side problem?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

server side problem?

Post by bredoteau »

Hi,

I've created a webshop that works fine on my offline server and on my online test server.
Now it should run on a commercial server, but it won't work.

1. my php code creates and modifies text files, but changes are not saved. I guess this is a simple rights problem, but how can I solve it - is it a php setting or must the provider himself set the rights?

2. mysql database: There is no phpMyadmin or stuff. How can I set up a database? My code only _uses_ an existing db. In general I know only how to use those sql commands that take effect when you are already connected to a db, but how to send higher mysql commands, like create database or list all existing databases?

3. security: a guy told me to use strong passwords. Which are strong? If I use a pw similar to a php session variable and check its existence in each document, will it be safe?

Kind regards...
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: server side problem?

Post by Roja »

bredoteau wrote:3. security: a guy told me to use strong passwords. Which are strong?
Passwords containing the word "Muscles".

Yes, I am kidding.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: server side problem?

Post by josh »

bredoteau wrote:Hi,

I've created a webshop that works fine on my offline server and on my online test server.
Now it should run on a commercial server, but it won't work.

1. my php code creates and modifies text files, but changes are not saved. I guess this is a simple rights problem, but how can I solve it - is it a php setting or must the provider himself set the rights?

2. mysql database: There is no phpMyadmin or stuff. How can I set up a database? My code only _uses_ an existing db. In general I know only how to use those sql commands that take effect when you are already connected to a db, but how to send higher mysql commands, like create database or list all existing databases?

3. security: a guy told me to use strong passwords. Which are strong? If I use a pw similar to a php session variable and check its existence in each document, will it be safe?
1. Try outputting the error (change error_reporting to E_ALL), the command to change file permissions on linux is chmod

2. you can get phpmyadmin for free, google for it. Mysql is free too, phpmyadmin is just a tool for administering mysql databases. The mysql manual teaches you how to create tables and such, phpmyadmin can also do this for you

3. passwords should be case sensitive, containing both uppercase and lowercase characters, contain symbols like underscores and also contain numbers. Passwords should never be shorter then 6 characters, thats the minimum.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

In general I know only how to use those sql commands that take effect when you are already connected to a db, but how to send higher mysql commands, like create database or list all existing databases?
You pass the command along like you would any ordinary query

Code: Select all

mysql_query('CREATE TABLE `blah` ... ') or die(mysql_error());
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

For the above to work (depending on setup and mysql users) you may need to have credentials connecting to the database set to a User with permissions to create databases. Don't leave it this way though - if possible.

See a lot of stuff about having such Users setup for PHP Applications which I consider a needless security risk - why put plain text credentials in a PHP file for a User capable of creating/dropping entire databases when a simple User with read/write only permissions is far far safer...
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Re: server side problem?

Post by bredoteau »

1. Try outputting the error (change error_reporting to E_ALL), the command to change file permissions on linux is chmod
OK, but this does not enable php to create NEW files. Modifying existing files works now.
2. you can get phpmyadmin for free, google for it. Mysql is free too, phpmyadmin is just a tool for administering mysql databases. The mysql manual teaches you how to create tables and such, phpmyadmin can also do this for you
I could never get high-leveled messages across to MySQL (like "create database"). Creating or querying tables once I am connected to a db is no problem, so I always used phpmyadmin. I even tried to understand how phpmyadmin does the trick, but I got lost in all those files.
However, I don't think I can install phpmyadmin simply by uploading it with a ftp program, right? But this is the only thing I can do, coz I am not the server myself.
3. passwords should be case sensitive, containing both uppercase and lowercase characters, contain symbols like underscores and also contain numbers. Passwords should never be shorter then 6 characters, thats the minimum.
Thanks!
[/quote]
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Post by bredoteau »

Maugrim_The_Reaper wrote:For the above to work (depending on setup and mysql users) you may need to have credentials connecting to the database set to a User with permissions to create databases. Don't leave it this way though - if possible.

See a lot of stuff about having such Users setup for PHP Applications which I consider a needless security risk - why put plain text credentials in a PHP file for a User capable of creating/dropping entire databases when a simple User with read/write only permissions is far far safer...
Thanks, a reasonable comment!

Yes, I'd like to be able to set up the db and then 'kill' the user at least temporally. But heck, if only they would let me set up my db in the first place!
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Post by bredoteau »

Jcart wrote: You pass the command along like you would any ordinary query

Code: Select all

mysql_query('CREATE TABLE `blah` ... ') or die(mysql_error());
As said, creating tables is NO problem. How would you create a database or view all existing dbs?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

To create a database:

Code: Select all

CREATE DATABASE `test_db`
Listing databases:

Code: Select all

SHOW DATABASES
http://dev.mysql.com/doc/refman/5.1/en/.. gotto love the manual..
bredoteau
Forum Newbie
Posts: 18
Joined: Fri Apr 01, 2005 7:46 am

Post by bredoteau »

Jcart wrote:To create a database:

Code: Select all

CREATE DATABASE `test_db`
Listing databases:

Code: Select all

SHOW DATABASES
http://dev.mysql.com/doc/refman/5.1/en/.. gotto love the manual..
Yeah, but how do I transmit this? Using mysql_query doesn't work.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Works for me on mysql 4.1 and php4.3.something on apache 1.3
Post Reply