----- Original Message ----- From: "wcb" <[EMAIL PROTECTED]> To: "Mark" <[EMAIL PROTECTED]>; "MySQL" <[EMAIL PROTECTED]> Sent: Saturday, January 04, 2003 7:51 PM Subject: Re: Hiding the password
> It isn't at all difficult to grasp. Please carefully (and exercising a > certain amount of patience) read my post and the previous post upon which > my post was based. We are acknowledging that EVERYONE can find out your id > and password. The question reformulated is: > > "Given that one's MySql environment may not be accessible in terms of > privs (which is the case for a lot of people, who are paying for hosting > by a third party) and given that we CAN'T hide the id/password > combination, is the standard arrangement that hosts use (which is to > ensure that only localhost can access the database) adequate to prevent > people from doing unwanted things in your database? After having read your reply very carefully, really, I still found problems with your setup: Assuming that your ISP creates user(s) for you, and has them default to localhost only, then your problem still remains, and is perhaps even larger. Because when the entire localhost can access your database, then every user with shell access on your box (or with web-pages on your system!) has access to your databases. > NOTE that I'm assuming that one has a script on localhost, and all users > are from another domain ... If you are really the ONLY user on your system, and you have not given web-access to anyone else, and you trust your DNS, then I suppose you are safe. > and also > assuming that the script is properly set up to constrain the activities > of users... Of users? Earlier you had written, "As long as your script is set up to be secure (for example, not to allow special characters like ~ or &^$, etc.)," the ~ character you mentioned (see how carefully I read your post?) seemed to indicate you were protecting your script from misusing users' home directories. If you only have "visitors" on your system, and not users, then, and only then, you are safe. Otherwise all other users on your system will share your localhost privileges. - Mark --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
