Menu
▾
▴
Re: [Phpwebsite-developers] Security Suggestion
|
From: <ad...@tu...> - 2003-05-13 17:33:46
|
A big issue with creating multiple database users to access different database functions is the fact that a lot of our users host with hosting companies that only allow them one database/user/pass. The core's PHPWS_TExt::parseInput function could be updated to check for submitted sql queries and remove them without too much fuss and it's already in place on most input fields. This would allow ALL users to take advantage of this added security. Just my 2 cents. Adam > I think it would be more efficient for people who have access to create > more than one SQL user to stop the process from the SQL server rather > than taking up any more resources with php. It will be more work to > create another function to make sure you don't feature that code in > your queries however it's a good idea for people who just have one > possible SQL user. > > Regards, > > Richard Sumilang. > > On Tuesday, May 13, 2003, at 05:17 AM, Don Seiler wrote: > >> I don't think this is really necessary. If phpWebSite is somehow >> tricked >> into entering SQL code that is entered into a form, then that is the >> real >> problem and we need to capture that and exit the save function and >> give a >> stern error to the user. >> >> Don. >> >> On Mon, 12 May 2003, Richard Sumilang wrote: >> >>> I think there should be a configuration option to set up 3 SQL users. >>> One user that has the ability to create and drop databases, one user >>> who has the ability to read/insert/update/delete rows from tables, and >>> another user who has the ability to create/drop tables. The reason for >>> this is what is malicious user where to type into a form field SQL >>> code >>> to drop a table? Even better yet, drop a database! That wouldn't be >>> very fun... So my suggestion is when using the core's sqlInsert >>> function for example should use the user account that can >>> read/insert/and only update tables. When installing a mod and usually >>> using sqlImport function should call upon the user who can only create >>> and drop databases. Of course since some people on their hosting >>> providers can only have one SQL user on databases like MySQL that has >>> full control over their database which means the system should >>> automatically check if the other users exist and if not, use the the >>> default user account provided. Many companies practice this as a >>> security rule of thumb and I think this CMS should do so also. >>> >>> Let me know you feed back :-) >>> >>> Best Regards, >>> >>> Richard Sumilang >>> >>> >>> >>> ------------------------------------------------------- >>> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara >>> The only event dedicated to issues related to Linux enterprise >>> solutions >>> www.enterpriselinuxforum.com >>> >>> _______________________________________________ >>> Phpwebsite-developers mailing list >>> Php...@li... >>> https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers >>> >>> >>> >> >> >> ------------------------------------------------------- >> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara >> The only event dedicated to issues related to Linux enterprise >> solutions >> www.enterpriselinuxforum.com >> >> _______________________________________________ >> Phpwebsite-developers mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers >> >> > > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux enterprise solutions > www.enterpriselinuxforum.com > > _______________________________________________ > Phpwebsite-developers mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers > -- Adam Morton Developer - Electronic Student Services http://phpwebsite.appstate.edu Founder - Appalachian Linux Users Group http://alug.appstate.edu |
