Menu
▾
▴
Re: [Phpwebsite-developers] Security Suggestion
|
From: Don S. <do...@se...> - 2003-05-13 12:18:23
|
I don't think this is really necessary. If phpWebSite is somehow tricked into entering SQL code that is entered into a form, then that is the real problem and we need to capture that and exit the save function and give a stern error to the user. Don. On Mon, 12 May 2003, Richard Sumilang wrote: > I think there should be a configuration option to set up 3 SQL users. > One user that has the ability to create and drop databases, one user > who has the ability to read/insert/update/delete rows from tables, and > another user who has the ability to create/drop tables. The reason for > this is what is malicious user where to type into a form field SQL code > to drop a table? Even better yet, drop a database! That wouldn't be > very fun... So my suggestion is when using the core's sqlInsert > function for example should use the user account that can > read/insert/and only update tables. When installing a mod and usually > using sqlImport function should call upon the user who can only create > and drop databases. Of course since some people on their hosting > providers can only have one SQL user on databases like MySQL that has > full control over their database which means the system should > automatically check if the other users exist and if not, use the the > default user account provided. Many companies practice this as a > security rule of thumb and I think this CMS should do so also. > > Let me know you feed back :-) > > Best Regards, > > Richard Sumilang > > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux enterprise solutions > www.enterpriselinuxforum.com > > _______________________________________________ > Phpwebsite-developers mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers > > > |
