Re: [Phpwebsite-developers] Security Suggestion

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

One point i would like to add. Even a restricted user can cause problems.
With what is proposed, the account would still have delete options.  Any
malicious user can just have it cycle through and delete all the content. 
True it is harder but you get a false seance of security even with a
restricted sql user. Bots can batch attack and you are still out of luck. 
The code should be the main line of security not the sql user.  This
doesn't mean you should not separate different sites to restricted users. 
Each not allowed to see/use each other.

> I think there should be a configuration option to set up 3 SQL users.
> One user that has the ability to create and drop databases, one user
> who has the ability to read/insert/update/delete rows from tables, and
> another user who has the ability to create/drop tables. The reason for
> this is what is malicious user where to type into a form field SQL code
> to drop a table? Even better yet, drop a database! That wouldn't be
> very fun... So my suggestion is when using the core's sqlInsert
> function for example should use the user account that can
> read/insert/and only update tables. When installing a mod and usually
> using sqlImport function should call upon the user who can only create
> and drop databases. Of course since some people on their hosting
> providers can only have one SQL user on databases like MySQL that has
> full control over their database which means the system should
> automatically check if the other users exist and if not, use the the
> default user account provided. Many companies practice this as a
> security rule of thumb and I think this CMS should do so also.
>
> Let me know you feed back :-)
>
> Best Regards,
>
> Richard Sumilang
>
>
>
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com
>
> _______________________________________________
> Phpwebsite-developers mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers
>

--
Jeremy Agee
phpWebSite Development Team (http://phpwebsite.appstate.edu)
Appalachian State University
SF.net id: jagee or 94756