What's best way to do?
This is a discussion on What's best way to do? within the MySQL forums, part of the Database Server Software category; --> Hi, i wrote a webapplication with mysql database. I the PHP code; i use user 'root' in the mysql_connect ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-28-2008, 07:15 AM
| ||||
| ||||
 What's best way to do? Hi, i wrote a webapplication with mysql database. I the PHP code; i use user 'root' in the mysql_connect command. The user of the application is limited to the application and cannot delete or alter a table, only update, delete and insert the tables. Is it a good practise to do so, or is it better to define a "anonymous" user with limited rights? Thanks Pat      |
|
02-28-2008, 07:15 AM
| |||
| |||
| Re: What's best way to do? Hi, best practise would be to create one (or if it's suitable for your application, more) user(s) whose permissions are tailored to the specific needs for this applications. I would avoid creating anonymous users, there are rarely good reasons for that ;-). Markus |
|
02-28-2008, 07:15 AM
| |||
| |||
| Re: What's best way to do? > i wrote a webapplication with mysql database. In the PHP code, i use user > 'root' in the mysql_connect command. > > The user of the application is limited to the application and cannot delete > or alter a table, only update, delete and insert the tables. > > Is it a good practise to do so, or is it better to define a "anonymous" user > with limited rights? As Markus said, it is better to create a limited "web" user. If a hacker somehow gets the account data, he cannot do more than the web user could do via the page. If you really want to limit the database access and if your database supports stored procedures, you could define a stored procedure for every allowed action on the database and grant only execute rights to the web user. Best regards |
|
02-28-2008, 07:15 AM
| |||
| |||
| Re: What's best way to do? Thanks "Dikkie Dik" <"' OR 1=1 LIMIT 1-- haha"@haha.com> schreef in bericht news:dpp7pb$67m$1@news.cistron.nl... >> i wrote a webapplication with mysql database. In the PHP code, i use user >> 'root' in the mysql_connect command. >> >> The user of the application is limited to the application and cannot >> delete or alter a table, only update, delete and insert the tables. >> >> Is it a good practise to do so, or is it better to define a "anonymous" >> user with limited rights? > > As Markus said, it is better to create a limited "web" user. If a hacker > somehow gets the account data, he cannot do more than the web user could > do via the page. If you really want to limit the database access and if > your database supports stored procedures, you could define a stored > procedure for every allowed action on the database and grant only execute > rights to the web user. > > Best regards |
|
02-28-2008, 07:15 AM
| ||||
| ||||
| Re: What's best way to do? Thanks "Markus Popp" <mfp@gmx.li> schreef in bericht news:43bfe7c8$0$23225$91cee783@newsreader02.highwa y.telekom.at... > Hi, > > best practise would be to create one (or if it's suitable for your > application, more) user(s) whose permissions are tailored to the specific > needs for this applications. I would avoid creating anonymous users, there > are rarely good reasons for that ;-). > > Markus > > > |
 |
« Query question
|
revisioning »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 02:34 AM.
