4WebHelp
 FAQ  •  Search  •  User Groups  •  Forum Admins  •  Smilies List  •  Statistics  •  Rules   •  Login   •  Register
Toggle Navigation Menu

 Database secure?
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic
Author Message
Darren
Team Member



Joined: 05 Feb 2002
Posts: 549
Location: London

PostPosted: Mon Jan 20, 2003 3:27 pm (14 years, 9 months ago) Reply with QuoteBack to Top

on a Windows NT Microsoft-IIS/4.0 server running mysql/php.

How secure is it if you can connect to your database using the following data.
Code:
$db_host = 'localhost';
$db_username = '';
$db_userpassword = '';
$db_name = 'dbname';


Am I correct in thinking that anyone on that server (it is shared hosting) could connect to it providing they new the database name?
This wouldn't be too difficult to guess considering it is named after the name of the account directory all of which are visible via ftp...

Surely this can't be right????
OfflineView User's ProfileFind all posts by DarrenSend Personal MessageVisit Poster's Website
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Mon Jan 20, 2003 3:42 pm (14 years, 9 months ago) Reply with QuoteBack to Top

Your host probably blocks all connections from "the outside".

However this still leaves the people on your server. But then even if a password is required, on most servers people can view your PHP/Perl files which will contain your database password anyway.

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
Darren
Team Member



Joined: 05 Feb 2002
Posts: 549
Location: London

PostPosted: Mon Jan 20, 2003 3:47 pm (14 years, 9 months ago) Reply with QuoteBack to Top

thankfully its not my host, but a client does have their site on it.

Thats what I found strange that you could connect without a username or a password. Even if no one intentionaly tried to do something surely this setup is a bit vunerable to accidents?

Is this just because its Windows or because its badly configured?
OfflineView User's ProfileFind all posts by DarrenSend Personal MessageVisit Poster's Website
Daniel
Team Member



Joined: 06 Jan 2002
Posts: 2564

PostPosted: Mon Jan 20, 2003 3:52 pm (14 years, 9 months ago) Reply with QuoteBack to Top

Such a setup is possible on most servers, Linux included. It's just a choice the server admin makes to prevent hassles with adding databases, changing passwords, forgetting passwords, not filling in the password field when connecting, etc...

I personally wouldn't run such a setup, but if it's done properly it's not too much of a risk, especially if done on a small server with few clients.

________________________________
Image
OfflineView User's ProfileFind all posts by DanielSend Personal Message
Display posts from previous:      
Post New TopicReply to Topic
View Previous Topic Print this topic View Next Topic


 Jump to:   




You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot edit your posts in this forum.
You cannot delete your posts in this forum.
You cannot vote in polls in this forum.


Page generation time: 0.059811 seconds :: 17 queries executed :: All Times are GMT
Powered by phpBB 2.0 © 2001, 2002 phpBB Group :: Based on an FI Theme