Re: [PHP] access to DB and security

---

• From: ceo@xxxxxxxxx ("Richard Lynch")
• Date: Wed, 8 Nov 2006 11:40:32 -0600 (CST)

---

On Wed, November 8, 2006 11:05 am, Alain Roger wrote:

My web hoster gave me a login and password with which i can connect to
DB,
perform some actions as DB owner / superuser just for my DB.
If i use this login + password to connect and perform some actions
from my
web pages, everybody can hack my DB and do what they want.

My web hoster will not give me some particular role/user with which
user can
only execute some stored procedure but can not administrate my DB.

therefore, how can i make my web pages users connect to DB (with my
administrator login and password) and run some stored procedure
without
risking to see my DB hacked ?

There are several options here...

One is to switch to a host, perhaps a dedicated host, where you DO
have multiple login roles.

Another is to structure your web application in such a way that only
trusted users at the web/PHP level are allowed to do anything other
than call a stored procedure.
E.g., for normal users, the query MUST look like:
preg_match('/^call [a-z0-9_]+\\s*\\(.*\\)$/imsU', $query)

Still possible: an sql-injection attack in the arguments in .* bit of
that PCRE.

But you could/should be filtering that much earlier on in the process
anyway.

I know there are other options, but it's hard to express anything
sensible until we know what the rest of the application logic and
business process and authentication model looks like...

If anybody on the planet can call any stored procedure in your DB at
any time, I suspect that's not a whole lot better than just having
wide-open access. :-)

So, for now, it's not well-defined enough of a question to provide
more answers.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

---

• References:
  • access to DB and security
    • From: "Alain Roger"

• Prev by Date: Counting Records in Dynamic Table
• Next by Date: Re: [PHP] Time-Zone juggling
• Previous by thread: access to DB and security
• Next by thread: Re: [PHP] access to DB and security
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Limiting views on data in a table ... >returns the Windows login the user uses to connect to SQL Server. ... >use it in the WHERE clause of your single stored procedure for everybody to ... pass the login name as a parameter in the stored procedure). ... (microsoft.public.sqlserver.security) Re: Drop Merge Pull Subscription at Publisher? ... when a login who is in the PAL has the permission ... login call sp_dropmergesubscription also on the Publisher. ... > information of where this stored procedure should be run at and there will ... (microsoft.public.sqlserver.replication) Re: SQL Connection help needed ... Have your DB Admin give your NT login access to the stored procedure ... Here is my current connection string that is using my own NT login: ... I have access to this database and the connection establishes fine. ... (microsoft.public.dotnet.languages.vb) Re: Creating Customer Web Portal ... Roles and Profiles system that integrates with the database ... which a stored procedure builds for us. ... I want a simple login page with username and password. ... (microsoft.public.frontpage.addins)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)