[UPHPU] MySQL questions?

Steve Dibb sdibb at wonkabar.org
Sat Apr 24 13:44:23 MDT 2004


> A lot of security issues and possible solutions are discussed, like these,
> in a context where the threat you're trying to discuss has not been
> clearly identified. If the threat is SQL injection through your web site,
> the most important protections are already in place (mysql_query() allows
> only one query per call, and magic_quotes_gpc defaults to on). So to open
> yourself up to problems you actually have to try (turn magic quotes off,
> or stripslashes before you do the db call), in addition to being sloppy
> (not checking user-supplied parameters before inserting them in a db
> query).

I actually have magic_quotes turned off on my sites... I found they do 
mroe harm than good, since they sometimes escape characters that I don't 
want them to, or I'll have already written or am using a class / 
function that already checks for them.

> Maybe I'm not catching which threat you're concerned about, or I might be
> missing the attack vector that you're thinking of.

Not really trying to prove a point -- just explore the options, and 
reasons for using them.

I think a good application for using more than one user would be when 
you have an outside application that connects to the MySQL database. 
Even if someone could figure out the username/pwd combo from that 
application, it would be good if that user's permissions were only to 
read certain tables or update only certain things.

steve



More information about the UPHPU mailing list