I wrote a script in php that accesses a mySQL database. The database has a table that contains email addresses. If I google one of the email addresses I come up with the following:
phpMyAdmin
3, jamesbakertpa@yahoo.com, Mr. Baker. Edit • Delete, 176, Bob.Shaye@newline.com, Robert, Shaye. Edit • Delete, 177, Michael.Lynne@newline.com, Michael ...
http://www.florida-family.org/phpmyadmi ... tf8_genera... - 67k - Cached - Similar pages
This search is going right into my databse and pulling info from it. I googled another email and it gave me all the emails in the database. My IPS is telling me that I must secure the data thru my web code. Can you help me. I don't know exactly what I need to do to secure this info?
Securing mySQL dataqbase with php code
Moderator: General Moderators
-
robert4442
- Forum Newbie
- Posts: 10
- Joined: Sat May 25, 2002 3:04 pm
- Location: USA
Re: Securing mySQL dataqbase with php code
Are you sure that the search engine obtained the information from your site? As far as I know, if you use standard php programming and database connections, a search engine bot can't retrieve data from a database. For one thing, the location of the data is outside the web server root. There are many other possible sources for most of this kind of information.
Re: Securing mySQL dataqbase with php code
You have to close the access to phpmyadmin! It's totally open and reachable from the web. I can go there and manage your complete db, read, empty, drop. Close down access immediately. I hope the information in the db is not real personal info?
Re: Securing mySQL dataqbase with php code
matthijs, hit this one on the button. Search engines go to your web site and extract as many URLs as the can find and follow each and every URL (excluding the ones that contain a specific link attribute), searching for more URLs on your web site. As already stated, your phpmyadmin does not require authentication at all, which would deny a Web Crawler.matthijs wrote:You have to close the access to phpmyadmin! It's totally open and reachable from the web. I can go there and manage your complete db, read, empty, drop. Close down access immediately. I hope the information in the db is not real personal info?
This is how it should look for your phpmyadmin directory:
http://spirit.dos.uci.edu/phpmyadmin/
Re: Securing mySQL dataqbase with php code
Aha! Important advice! So if you run your own server and install phpmyadmin yourself, you may have a vulnerability? I used to operate my own servers and may have had such an issue. Now I use a hosting service that protects it within their own user control panel. I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs. I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??
Re: Securing mySQL dataqbase with php code
Yes. You definitely need to protect that.Aha! Important advice! So if you run your own server and install phpmyadmin yourself, you may have a vulnerability? I used to operate my own servers and may have had such an issue. Now I use a hosting service that protects it within their own user control panel. I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs. I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??
When I looked at the link I had direct access to phpmyadmin. No password required. So any bot can crawl that too. I think robert wisely removed it now.
Re: Securing mySQL dataqbase with php code
califdon,califdon wrote:Aha! Important advice! So if you run your own server and install phpmyadmin yourself, you may have a vulnerability? I used to operate my own servers and may have had such an issue. Now I use a hosting service that protects it within their own user control panel. I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs. I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??
<<So if you run your own server and install phpmyadmin yourself, you may have a vulnerability?>>
If it's not installed correctly, definitely. Even if it is installed correctly and is accessible though the Internet, it can be easily hacked if not run on a secure server. What I mean is, your login credentials (username and password) can be Sniffed by a hacker in plain text after you submit the login. A secure server will at least encrypt the data across the network.
http://netsecurity.about.com/cs/hackert ... 121403.htm
<<I'm still confused, though, about how a search engine bot gets beyond the login that phpmyadmin employs.>>
As matthijs has stated, robert4442's login page was not existent. His page took you directly to the admin controls.
<<I followed the link that vapin supplied and could only view the login screen. I realize that a hacker could very likely gain access, but how could a search engine crawler see anything there from the database??>>
The crawler can not see beyond the login page of the link I provided. The link I provided was done right. It was robert4442's page that was not.