Re: Hiding the password
Hello Teddy: Could you please be a bit more demonstrative? If I have a module in at Web address on a Apache server with permissions 700, (Warren said he has his scipt to 755, I think) how exactly do you believe a site visitor can access the text of the script? Or how do you think another system user could access the text of the script? I am beginning to think that you operate in a strange, unsecured Web environment. Please lay out a general set of steps by which someone could gain access to the text of a Perl script on a Web server with 700 or 755 permissions. Thanks, Matt Baranowski - Original Message - From: Octavian Rasnita [EMAIL PROTECTED] To: Larry Brown [EMAIL PROTECTED]; MySQL List [EMAIL PROTECTED] Sent: Sunday, January 05, 2003 10:33 PM Subject: Re: Hiding the password No, we are not talking about the staff of the hosting company. The hosting company runs a single Apache server on a single account on that server for all sites that are sitting on that computer. If the user that runs the web server has access to your files, this means that everyone has access. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] - Original Message - From: Larry Brown [EMAIL PROTECTED] To: MySQL List [EMAIL PROTECTED] Sent: Saturday, January 04, 2003 9:50 PM Subject: RE: Hiding the password First, why are we conceding that everyone can find out your id and password? Your hosting company has your site separated from other customers' sites right? So we are just talking about the development team for your site being privy to this information. Second, if you are referring to the staff of the hosting company, you can't avoid their ability to access data via your login scripts period. As far as I know they can view all of your communication with the MySQL database and can get that information. If you want tight security hosting it yourself is a must in my view. Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -Original Message- From: wcb [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 04, 2003 1:51 PM To: Mark; MySQL Subject: Re: Hiding the password It isn't at all difficult to grasp. Please carefully (and exercising a certain amount of patience) read my post and the previous post upon which my post was based. We are acknowledging that EVERYONE can find out your id and password. The question reformulated is: Given that one's MySql environment may not be accessible in terms of privs (which is the case for a lot of people, who are paying for hosting by a third party) and given that we CAN'T hide the id/password combination, is the standard arrangement that hosts use (which is to ensure that only localhost can access the database) adequate to prevent people from doing unwanted things in your database? NOTE that I'm assuming that one has a script on localhost, and all users are from another domain, and also assuming that the script is properly set up to constrain the activities of users, does it even matter that people can determine the id/password combination?? Thanks for patient responses. Cheers! -warren Perhaps gurus can comment on what I'm suggesting here - if the database is set up so that only localhost can access it, then you can use a php or PERL script to allow people from elsewhere to cruise in and make queries as your script allows. Why is this so difficult to grasp? As I, and many others, have pointed out, repeatedly, it does not matter how many layers you wrap around your password-retrieval code, as soon as you make the end-result accessible/readable by your web-CGI, you have done just that: made the user/password accessible by your web-daemon -- hence, made it accessible to everyone with access to your web-server. And no, adding some sort of access-control within your CGI is equally useless: as a user being hosted on your web-server I would not bother to run your CGI, but simply copy it for ocular inspection. :) Certainly I'd appreciate comments on this by people in the know, because it is an issue that so many people face... Perhaps those people should do what I do: create special MySQL users (@localhost), unprivileged to the max, with only very narrow SELECT privileges to the databases they are supposed to read data from, and use those users to access the MySQL server in your CGI. - Mark - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual)
Re: mysql NULl value in perl problem
Hi David: I am assuming you are using DBI. I am not quite sure what you are asking, but here is some code that might help: while ($hashref = $sth-fetchrow_hashref) #while there are records in the query ... { DO SOME STUFF } The above code is a pretty traditonal way to deal with a statement handle from DBI. If you want to test if a query result is simply empty or not, you could do something like the following: if ($hashref = $sth-fetchrow_hashref) #then the query did not return an empty set { DO SOME STUFF } This code will tell you if a statement handles has any records. I am not sure if this is what you are looking for, perhaps you could provide some more detail about what you are trying to do. Good luck, Matt Matthew P Baranowski Data Manager, Office of Educational Assessment University of Washington - Original Message - From: David Wu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 05, 2002 2:59 PM Subject: mysql NULl value in perl problem Hi guys, Running into a frustrating problem. When I have a empty table in mysql database, i tried run a select statement in my perl script and supposing get a NULl return value. Is the NULL returned from mysql is described as string in perl or as undef in perl?.. As there is no the word NULL in perl Thank you very much guys - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Data base driven web page idea - need help!
Hi Grant: The answer to your question depends on a lot of details. In most cases, the solution you have chosen is just fine. The real question you need to answer is, Does your solution meet your needs? If you can answer yes to this question, your solution is fine. Your solution gives you a couple of advantages: 1. As you said, fewer hits against the database. 2. Faster downloads for your user. Static HTML pages download faster than a dynamic alternative. 3. Static pages will get crawled and added to search engines; sometimes dynamic pages won't. Some disadvantages: 1. You have a delayed update to your Web page. If a faculty member notices a critical error on a Web page, they must contact you or otherwise figure out how to trigger an update. 2. There are things you can do with a dynamic page that you cannot do with a static page. Here's my QUESTION! Because some of the program information is large I don't want to query the data base everytime do I? Like I said, your solution will probably work just fine, but it is probably unnecessary. You say the program information is large, but it would have to really REALLY large for it to make much difference. With a college of 1600 students, it does not sound like your Web site is going to have much traffic. Php and MySQL are pretty efficient. My advice is to test your assumptions; does retrieving the large Web pages from the database make much difference? Good luck, Matt Matthew P Baranowski Data Manager, Office of Educational Assessment University of Washington - Original Message - From: Grant Cooper [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 26, 2002 10:38 PM Subject: Data base driven web page idea - need help! I need help. I am building a database for a small college that wants to be able to update their program information for each department through an web/gui program. I've decided to use, MYSQL, Apache, PHP and FreeBSD as the OS. (I built my web page this way) Here's my QUESTION! Because some of the program information is large I don't want to query the data base everytime do I? This would take up to many resources. So I've decided to write a program that will take the information from the MYSQL tables and build static pages every night and remove the old ones through a cron job? How does this sound? Is this standard practice, if not what would be a better way of doing this. This college has about 1600 students? Thanks in advance, I plan on doing alot of planning and really apreciate reading this email. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: LIMIT in MySQL
Your command says select 60 rows starting at row 30. You want LIMIT 30, 30 to get 30 rows. Matt - Original Message - From: Mike At Spy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 26, 2002 9:56 AM Subject: LIMIT in MySQL I must not be awake yet. Why is this query sending me back 60 records? Shouldn't it only send back records 30 through 60 (i.e. 30 records)? SELECT * FROM table ORDER BY somefield LIMIT 30,60 Thanks, -Mike - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: i'm just missing something
Actually there is a slightly better way to add a user. Read the following entry in the mysql docs: http://www.mysql.com/doc/en/GRANT.html In fact you might want to read this whole section: http://www.mysql.com/doc/en/User_Account_Management.html Example: grant select, insert on *.* to joeuser@localhost identified by some_password; This command does a bunch of other things like add permissions to the db table and encrypt the password in the user table. Sometimes it is faster to hack the user and db tables directly, but it is still not a good practice. I hope this helps. Thanks, Matt Matthew P Baranowski Data Manager, Office of Educational Assessment University of Washington - Original Message - From: Steve Vernon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 19, 2002 2:44 PM Subject: Re: i'm just missing something There is a mysql database with a user table in it. Add a new user, then reload the database! Remember to password the password. And it will work! I been tring to read the docs on the website, and tried looking it up, but i'm getting confused. I am trying to make a database and a user. to make the database i use mysql create database dbname; that seems to work. but how do i make a user for it? _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: INSERT INTO ... SELECT question
Hey Greg: A slightly easier way to do this is to use a timestamp field. Timestamp is just a standard mysql data type. When a record is added, it records the current time. When a record is updated, the timestamp field will be set to the time of the update. http://www.mysql.com/doc/en/DATETIME.html The TIMESTAMP column type provides a type that you can use to automatically mark INSERT or UPDATE operations with the current date and time. If you have multiple TIMESTAMP columns, only the first one is updated automatically. Thanks, Matt Matthew P Baranowski Data Manager, Office of Educational Assessment University of Washington - Original Message - From: Greg Macek [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 14, 2002 8:06 AM Subject: INSERT INTO ... SELECT question Hello, I recently stumbled upon the INSERT INTO..SELECT abilities. Basically what I'm doing is archiving records into another table before deleting them (inventory information). However, I'd like to have the archive table to have one more field than the original table: a date_archived function. So, for example if the tables looked like this: (quite simplified) Original: carton_id item_id qty status date_recd Archive carton_id item_id qty status date_recd date_archived *(new field) Can I have the SQL query have a NOW() in there to insert today's date when running this ? INSERT INTO archive (carton_id,item_id,qty,status,date_recd,date_archived) SELECT carton_id,item_id,qty,status,date_recd, NOW() FROM original Would this work? I'd like to know upfront before basing my code around this or whether or not I'll have to track how many records are going into the new table and manually updating the field. Thanks. - Greg - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php