Allowing a user to change their password
How can one allow a user to change their mysql password securily? If I do a grant update on the user table, then a user could change anyone's password. I just want a user to be able to change their password. Is this possible? Shawn -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Allowing a user to change their password
On 3/24/03 10:37 AM, R. Hannes Niedner [EMAIL PROTECTED] wrote: On 3/24/03 7:41 AM, Shawn P. Garbett [EMAIL PROTECTED] wrote: How can one allow a user to change their mysql password securily? If I do a grant update on the user table, then a user could change anyone's password. I just want a user to be able to change their password. Is this possible? Shawn One way of doing it is to wrap this functionality in your middleware (perl, php, java...). Then you can grant the database user used by the middleware update privileges on the whole user table and authorize the user identity f. E. via web form and let the user only change it's own username after he successfully reproduced it's own userid/password. This defeats the purpose of using MySQL's user table to manage users and privileges. The middleware now has to keep somewhere a user/password combo, increasing the chance of a security leak. Now if the user hacks the middleware, then they have control of everyone's password. There should be some way to allow a user of mysql to change their own password, without opening up security problems. One of the principles of security is that of least privilege. Meaning restrict a user to the least privileges required to do their work at the lowest level. MySQL offers a nice set of privilege control. If user accounts are tracked in MySQL and a user hacks the middleware, then they still can't wreck much havoc. This is because their user/password combo is very limited in what it can do. Now on the converse if they had a widely privileged database user controlling the middleware, the sky is the limit. Shawn -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Embedding MySQL in an application
I have been told it is possible to embed MySQL in an application such that the user never knows a database is running underneath the app. Where can I find more information about doing this? -- Shawn P. Garbett [EMAIL PROTECTED] See http://www.garbett.org/public-key for my PGP key - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Fwd: Re: Embedding MySQL in an application
I have been told it is possible to embed MySQL in an application such that the user never knows a database is running underneath the app. Where can I find more information about doing this? That's simple - as you write the application, keep the user interface and database totally seperate. It's as easy as writing any application that uses a database, you just have to worry a little more about which information you present to the user. I'm currently writing a database-backed web application (using perl and Template Toolkit) where the user will never have to know about the existence of keys or anything like that. As it happens, the code doesn't *have* to run off a database at all (it's nicely modular) but it's the best way of organising my information. I didn't make myself clear. Of course a user should NEVER see a database key. The design of the software will have a distinctly separate database module. The real point is, that a user can take the product out of shrink rap, install it, run the program and never fiddle one iota with installation of MySQL or even know that MySQL is running on the system. MySQL is entirely embedded within the application. Sure I could write drivers in the database module that did all this with flat-files, but ugh what a horrible thought. The plan is in the future as the product line grows is to eventually tie several products together through a seperate database engine, or have then as stand-alone packages. Microsoft advertises their MSDE (MS Data Engine), which does just this. Sits inside a program and the user never has to do any database adminstration functions--it's completly integrated into the program. Then their is the option for a seemless upgrade to MS SQL Server when more power is needed. At least that's the ad. My experience with MS products suggests that MSDE won't work and then for a mere $(excessive figure here) I can upgrade to SQL Server. I feel like it could be the classic bait and switch ploy on the part of MS. The MySQL folks have told me that this has been done and will be fully supported as part of the next release. Problem is I have to demonstrate it NOW, or I may end up stuck with MSDE since it exists NOW. MySQL is my preferred option and I'd love to stick with it across all platforms the product will be ported to. -- Shawn P. Garbett [EMAIL PROTECTED] See http://www.garbett.org/public-key for my PGP key - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Fwd: Re: Fwd: Re: Embedding MySQL in an application
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Freakin' Spam filter!!! - -- Forwarded Message -- Subject: Re: Fwd: Re: Embedding MySQL in an application Date: 9 Aug 2001 14:07:44 - From: [EMAIL PROTECTED] To: Shawn P. Garbett [EMAIL PROTECTED] Your message cannot be posted because it appears to be either spam or simply off topic to our filter. To bypass the filter you must include one of the following words in your message: database,sql,query,table If you just reply to this message, and include the entire text of it in the reply, your reply will go through. However, you should first review the text of the message to make sure it has something to do with MySQL. You have written the following: You could be more specific: Try specifying your programming language and operating system at least. I'm using Linux, Debian 2.2.2 and GNU C++ with Qt for the GUI under development. Then I'm compiling under Windows 98, with Borland using C++ as well. So the true target for now is Windows 98. Although a demo under linux would probably be satisfactory for now. - -- Shawn P. Garbett [EMAIL PROTECTED] See http://www.garbett.org/public-key for my PGP key - --- - -- Shawn P. Garbett [EMAIL PROTECTED] See http://www.garbett.org/public-key for my PGP key -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7cqaNDtpPjAQxZ6ARAmimAJwPp5EcFJaBRX0slMAyPe3klIRy7QCfYtrw pvn+6ckgSqzF5i6P1jBWXXo= =qQqz -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php