> The guy passed this request to the hosting company (which he doesn't > want to change) and the answer is: > > if you *really* need to use PHP instead of ASP OK, but as far as MySQL > is concerned we only have one customer using it now, and if we gave it > to you too, then the two databases would be visible and writeable to > each other users.. unless *your* new webmaster programs our MySQL by > himself to avoid this problem.
That is one of the problem with most Virtual Hosting. The web server user is the often same for all users so you can use a scripting language to look at the files of other people's website. I'm talking about Unix/Apache server because it is what I know, but you can extrapolate to NT. For a script to access a database, it needs to write the connection on the files, and any other virtual user will therefore be able to see those files using php or asp. So any other user can read all access codes and duplicate them temselves. Which means having the same access to the database the other user has. You will also be able to write scripts to remove/add/modify any files that have the web server's permission. Worst, if your host gives a similar access code to your DB and FTP (which is often the case), you will be able to know your ftp user and pass. I must stress that this is not a MySQL issue, it is valid with any other database. I do work for various customers on various hosting systems and I must say that security within virtual hosting company is horrific between sites, regardless of OS. >From their comment it seems their server is insecure although Microsoft has blinded them in a sense of false security and warned them about "Open Source". The first thing you shoudl do is ask them how could you see the other person's db if you have different privileges. If they are able to answer this question and it makes sense; ask them why it isn't an issue on their MS server. I doubt they will answer well to those questions and you will have a extremelly valid point to request your customer to change provider: Security! regardless of the DB and script used. > > Now, leaving apart every comment on the quality of this ISP, what > should I do on their server to make it so that I can indeed set my > customer's PHP/MySQL pages without screwing anything up? I can usually > find my way enough about MySQL, but this situation is entirely new to > me. As a matter of fact, until yesterday I would have thought that it is > more difficult to set up Mysql like this (or find real people doing > it) than the other way around.. > > TIA, > mweb > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
