Re: permissions?

From: Michael Vilain (vilain_at_spamcop.net)
Date: 10/17/04 

Date: Sun, 17 Oct 2004 12:50:53 -0700

In article <468adf60.0410170458.36f49fbc@posting.google.com>,
 kkk333@freemail.hu (Daniel Barna) wrote:

> > You can encode the password by md5 or other one-way hash function, so
> > that it would be safe even if somebody opens it. But the users would
> > not be able to restore password if they forget it (however you could
> > empty password and generate a new one for them).
> >
> > Otherwise, as I wrote previously, use database's security system.
> > Databases such as MySQL have its own method to manage user
> > permissions. Instead of checking username/password in php, you could
> > create user accounts in mysql, then call mysql to check it.
>
> I am afraid I miss some basic knowledge. Up to now I used mysql from
> php as follows:
>
> $dbid = mysql_connect("hostname","username","password");
>
> After this MySQL knows, what rights I have, and does not let me
> access/modify/whatever those databases, to which I have no permission.
> Is this what you meant by letting MySQL manage usernames and
> passwords?
> But now username and password is hardcoded in my php script, which is
> readable by wwwrun, so any other local users (on the machine) can also
> read my script, so they will have the same rights as I have. Even if I
> don't hardcode username and password in the php script, but store in a
> file, say, this file must be readable by wwwrun, so again, any other
> users of the machine, who have right to run php scripts, will be able
> to read my file containing the username and password.
>
> So what is the solution to grant acces to files/databases only from
> those php scripts, which are OWNED by user1, and deny access for php
> scripts OWNED by any other users?
>
> Thanks
> Daniel

Read this article:

http://shiflett.org/articles/security-corner-mar2004 

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...