Re: Possible Bug in mysql 3.23.38

Fri, 15 Jun 2001 18:20:42 -0700 

Hello Simon.

On Fri, Jun 15, 2001 at 05:08:18PM -0400, [EMAIL PROTECTED] wrote:
> Could not find a bug report form.  So I am telling y'll...
> 
> Platform:  FreeBSD 4.3 (I do not think it matters)
> 
> After creating a new database, I ran:
> 
> update user set password = 'SomeJunk' where user = 'root';
> 
> This inserts the string 'SomeJunk' literally into the database,
> unencrypted.  This is SQL expected but the result is a database
> lockout (not to mention the security breach of having the clear
> password stored in a file.

As you say yourself, this is expected behaviour. Only because a
certain statement could be used in a false way, MySQL should not break
the SQL standard. Btw, which behaviour would you suggest?

> I got the smart idea to assign a root password like this from the
> Bugzilla-Guide.txt file that comes with Bugzilla.

Tips for resetting the root password can be found here:

http://www.mysql.com/doc/R/e/Resetting_permissions.html

but I assume you already did that, because you are quoting the user
table below.

> 
> If there is a better way to assign passwords, please let me know.

With "setting password" in the search form of the mysql online manual
I found as second suggestion: "6.15 Setting Up Passwords":

http://www.mysql.com/doc/P/a/Passwords.html

> mysql> select host, user, password from user;
> +-----------+---------+------------------+
> | host      | user    | password         |
> +-----------+---------+------------------+
> | localhost | root    | 7d30d6e5796d165e |
> | nomis     | root    | 7d30d6e5796d165e |

I would strongly suggest to refrain from posting passwords publically
(encrypted or not), except if you are using test passwords which you
will change soon again.

> | localhost |         |                  |
> | nomis     |         |                  |
> | localhost | ShimonR | 7d30d6e5796d165e |
> +-----------+---------+------------------+
> 5 rows in set (0.00 sec)
> 
> Does this mean that any user from localhost or from nomis can connect?

Yes.

Bye,

        Benjamin.        

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to