|
|
Please consider registering: registration is fast, easy and free! Benefits of registration:
- Free advertising for your website: Every post in our forums goes towards a "credit" of ads, which are displayed on most pages of our forums. Each post gives you 400 ad impressions. To submit your ad, edit your profile.
- Discount at TemplateMonster: All our members enjoy a 10% discount at TemplateMonster.com!
|
- Private Messages: Exchange private messages with other members of the forums.
- Message Tracking/Subscription: phpBB enables you to subscribe to threads which interest you, and will then email you when a reply is posted. phpBB also remembers which posts registered users have read during a session, which means you can keep track of which posts you have already looked at.
|
|
| Author |
Message |
Darren
Team Member
Joined: 05 Feb 2002
Posts: 610
Location: London
|
 Posted:
Mon Jan 20, 2003 3:27 pm (10 years, 4 months ago) |
  |
on a Windows NT Microsoft-IIS/4.0 server running mysql/php.
How secure is it if you can connect to your database using the following data.
| Code: | $db_host = 'localhost';
$db_username = '';
$db_userpassword = '';
$db_name = 'dbname'; |
Am I correct in thinking that anyone on that server (it is shared hosting) could connect to it providing they new the database name?
This wouldn't be too difficult to guess considering it is named after the name of the account directory all of which are visible via ftp...
Surely this can't be right???? |
|
|
     |
|
Daniel
Team Member
Joined: 06 Jan 2002
Posts: 2192
Location: London, UK
|
| Posted:
Mon Jan 20, 2003 3:42 pm (10 years, 4 months ago) |
|
Your host probably blocks all connections from "the outside".
However this still leaves the people on your server. But then even if a password is required, on most servers people can view your PHP/Perl files which will contain your database password anyway. |
________________________________
 |
|
|
|
Darren
Team Member
Joined: 05 Feb 2002
Posts: 610
Location: London
|
| Posted:
Mon Jan 20, 2003 3:47 pm (10 years, 4 months ago) |
|
thankfully its not my host, but a client does have their site on it.
Thats what I found strange that you could connect without a username or a password. Even if no one intentionaly tried to do something surely this setup is a bit vunerable to accidents?
Is this just because its Windows or because its badly configured? |
|
|
|
|
Daniel
Team Member
Joined: 06 Jan 2002
Posts: 2192
Location: London, UK
|
| Posted:
Mon Jan 20, 2003 3:52 pm (10 years, 4 months ago) |
|
Such a setup is possible on most servers, Linux included. It's just a choice the server admin makes to prevent hassles with adding databases, changing passwords, forgetting passwords, not filling in the password field when connecting, etc...
I personally wouldn't run such a setup, but if it's done properly it's not too much of a risk, especially if done on a small server with few clients. |
________________________________
|
|
|
|
|
|
|
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot edit your posts in this forum.
You cannot delete your posts in this forum.
You cannot vote in polls in this forum.
|
Page generation time: 0.023774 seconds :: 17 queries executed :: All Times are GMT
Powered by phpBB 2.0
© 2001, 2002 phpBB Group :: Based on an FI Theme
| |
