Hey folks - While contemplating the design of a secure web database, an idea struck me. I'm thinking of submitting it as a feature request, so please critique it.
I'm having php handle user logon with it's .htaccess emulation. I'm storing usernames and password hashes in a table. The problem is that php needs to open MySQL with *some user* with *some permission*, just to read the user table and check the password. So, It seems that I have to store the password plaintext somewhere in some php file. (I asked the list about this earlier and several others had great suggestions on how to hide this plain-text password -- Thanks Rob! -- but, can we make it better?) So if some wily hacker were to get the contents of this php file, s/he would get a username and password for the database. Now of course, I'm only going to give this user permission to read the user database, and all the passwords are hashed... but : I propose a new permission that I will call MD5read. It's like select, only it just returns hashes. So, say you do something like: SELECT password FROM user; 49726b60ccbf03d6c619632e1d5555b6 f8ec2c9d79b5f969a96be968e7152bbd SELECT username, password FROM user; 24424b444b80831b677594a238f81dd9 | 4549625d8275b97b9b4f9662f1c550fa 1e5143d05b327f7d3cce15f9e3e44ad2 | fe3b4b388a69ceed38d6a0066e6a221b SELECT username+password+somethingelse FROM user; 49726b60ccbf03d6c619632e1d5555b6 f8ec2c9d79b5f969a96be968e7152bbd So that way, if someone gets the username/password for this user, they can't get any data off of the database. One thing you have to watch is that you don't use the md5 function for a user that has only md5read permission, because that would double-hash it, and whatever you're checking would fail. I know you can do SELECT md5(username), md5(password) FROM user (or whatever the syntax is), but the user doing that has to have read permission already. So if a hacker gets that username and password, they are probably not going to hash data they are trying to get out of the database. I would feel safe storing a user's name and password in a plain text php script if they had only this permission. Is this useful? Are there any flaws in my reasoning? -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
