Database secure?

Posted: Mon Jan 20, 2003 3:27 pm (21 years, 3 months ago)

on a Windows NT Microsoft-IIS/4.0 server running mysql/php.

How secure is it if you can connect to your database using the following data.

Code:

$db_host = 'localhost';
$db_username = '';
$db_userpassword = '';
$db_name = 'dbname';

Am I correct in thinking that anyone on that server (it is shared hosting) could connect to it providing they new the database name?
This wouldn't be too difficult to guess considering it is named after the name of the account directory all of which are visible via ftp...

Surely this can't be right????

Team Member Joined: 06 Jan 2002 Posts: 2564

Your host probably blocks all connections from "the outside".

However this still leaves the people on your server. But then even if a password is required, on most servers people can view your PHP/Perl files which will contain your database password anyway.

Posted: Mon Jan 20, 2003 3:47 pm (21 years, 3 months ago)

thankfully its not my host, but a client does have their site on it.

Thats what I found strange that you could connect without a username or a password. Even if no one intentionaly tried to do something surely this setup is a bit vunerable to accidents?

Is this just because its Windows or because its badly configured?

Team Member Joined: 06 Jan 2002 Posts: 2564

Such a setup is possible on most servers, Linux included. It's just a choice the server admin makes to prevent hassles with adding databases, changing passwords, forgetting passwords, not filling in the password field when connecting, etc...

I personally wouldn't run such a setup, but if it's done properly it's not too much of a risk, especially if done on a small server with few clients.