RE: MySQL Security w/ PHP

Carsten H. Pedersen Mon, 29 Oct 2001 04:52:39 -0800

> Hi!
>
> On Oct 28, Kevin Maynard wrote:
> > I have been building an extensive dB with MySQL for a large Insurance
> > Company and am nearing the completion stage.  I have build several PHP
> > forms to show the preliminary pages to the various groups who will be
> > using this dB.
> >
> > I have created the sign-in page where each user has types in their ID
> > and PW.  From then on each query uses those variables for credentials.
> > To avoid duplication, I would like to use the USER form from the MySQL
> > dB.
>
> You shouldn't do it.
> These table is used by mysql server internally,
> and shouldn't be accessed directly.
> To modify this user table one should use GRANT and REVOKE statements.
> To read it - SHOW GRANTS.
>
> (actually, it can be accessed directly, but ONLY if you're know
> what you're doing. It looks like you aren't)
>
> > Since that uses the Password("PW") function, I can't seem to get my
> > validation query to work properly.  For example:
> >
> > SELECT User,Password from user where (User=$ID AND Password=$PW);
> >
> > Result: Empty Set.
> >
> > SELECT User,Password from user where (User=$ID AND Password($PW));
> >
> > Result: Will match User only, will accept ANY PW.
>
> SELECT User,Password from user where (User=$ID AND
> Password=PASSWORD($PW));
>
> > Does anyone know how to properly check off the PW from the User
> table in
> > the MySQL db?
>
> The proper way is not to use system tables, and mysql db in general.
> Create your own database, and User table in it.
> And, the last, you'd better use MD5() instead of PASSWORD().


Another good reason not to do this: At startup, mysqld reads all
privileges for all users into memory - and they stay there whether
or not those people log in. Seems to be a pretty stupid way of
using up your RAM. Add to that the time spent by MySQL checking
permissions for one in thousands of users for every single query
- ugh...

/ Carsten
--
Carsten H. Pedersen
keeper and maintainer of the bitbybit.dk MySQL FAQ
http://www.bitbybit.dk/mysqlfaq



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL Security w/ PHP

Reply via email to