as far as i know, php won't by default log in as some my.cnf user. but you can set a default username/passwort/dbname etc. in the php.ini, should be in the [mysql] section. as a little additional 'security' (if one could call it that) can be achieved by masking the username/password in the php script by quoted_printable, base64 or binhex or multiple of them. moreover, if you use a special mysql user for that, you should restrict access for that one to localhost (or one specific host) and to SELECT only. so no write access...
-yves ---------- Original Message from Nils Valentin <[EMAIL PROTECTED]> at 13.08.2003 06:41:29: > Hi Steve, > > I understood that usually the data required to connect to a db is stored in a > outsorced php file. For mysql clients you can define usernamepassword etc. in > the my.cnf configuration file, but I am not sure if a PHP client would access > this file. > > Best regards > > Nils Valentin > Tokyo/Japan > > > 2003年 8月 13日 水曜日 06:00、Lefevre, Steven さんは書きました: > > I'm working on a website/database deal, and right now I'm designing the > > security model. > > > > It's using LAMP(HP), so all the tricks are going to be through PHP. > > > > First off, this will be behind a firewall with SSL encryption. We may also > > setup some kind of VPN tunneling.I'll be ignoring other security details > > that don't apply to the problem at hand, but please feel free to suggest. > > > > I'm going to have users enter a username and password, with PHP emulating > > the htaccess dialogue boxes. I would like to check the entered values in a > > permissions table. This table looks like: > > > > username | passwordhash | ipaddress | permission > > > > All users will have a static IP, so they have to match the > > username-password-ipaddress combination. I'm storing the passwords as an > > MD5 hash in case someone breaks in and reads the table. > > > > So what MySQL user does PHP log onto as the database as, in order to read > > the permissions table? (After that, we just go with the logged user's > > permission). If I make a special user that just has permission to read the > > permission table, do I have to store that user's password plaintext in a > > php script somewhere, thus adding a security risk if someone were to get a > > hold of that password? > > > > Steve > > -- > --- > Valentin Nils > Internet Technology > > E-Mail: [EMAIL PROTECTED] > URL: http://www.knowd.co.jp > Personal URL: http://www.knowd.co.jp/staff/nils > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
