[UPHPU] MySQL questions?
sdibb at wonkabar.org
Sat Apr 24 13:44:23 MDT 2004
> A lot of security issues and possible solutions are discussed, like these,
> in a context where the threat you're trying to discuss has not been
> clearly identified. If the threat is SQL injection through your web site,
> the most important protections are already in place (mysql_query() allows
> only one query per call, and magic_quotes_gpc defaults to on). So to open
> yourself up to problems you actually have to try (turn magic quotes off,
> or stripslashes before you do the db call), in addition to being sloppy
> (not checking user-supplied parameters before inserting them in a db
I actually have magic_quotes turned off on my sites... I found they do
mroe harm than good, since they sometimes escape characters that I don't
want them to, or I'll have already written or am using a class /
function that already checks for them.
> Maybe I'm not catching which threat you're concerned about, or I might be
> missing the attack vector that you're thinking of.
Not really trying to prove a point -- just explore the options, and
reasons for using them.
I think a good application for using more than one user would be when
you have an outside application that connects to the MySQL database.
Even if someone could figure out the username/pwd combo from that
application, it would be good if that user's permissions were only to
read certain tables or update only certain things.
More information about the UPHPU