Re[2]: [cobalt-users] Creating databases using phpMyAdmin

[Pierre Chopot <pierre@xxxxxxxxxxx>]

Hello List,

Tuesday, October 02, 2001, 8:32:09 AM, you wrote:

MB> le 1.10.2001 14:24, Nell Bolen à nell@xxxxxxxxxxxxxx a écrit :

>> 
>> 
>> Marco Baurdoux wrote:
>> 
>>> le 1.10.2001 8:43, Daniel Treadwell à daniel@xxxxxxxxxxx a écrit :
>>> 
>>>> one word; phpMyAdmin http://www.phpwizard.net/projects/phpMyAdmin/
>>>> 
>>>> your users can create their own stuff without u having to give them full
>>>> shell access...
>>>> 
>>>> HTH
>>> 
>>> Hi Daniel,
>>> The problem if you use phpMyAdmin to create new mysql databases is that all
>>> your customer have the same username and password, so this means that one
>>> customer can view the content of another customer.
>>> 
>>> Now, I don't believe that your customers will be really happy with this.
>>> With the solution I proposed every user has its own database, its own
>>> username and own password.
>>> 
>>> so only the root user of the mysql database can view all the databases.
>>> 
>>
>> Have set up an MySql server that seems to work. The privilege tables in mysql
>> allow domain customers to connect as "localhost" but only to their own
>> databases and tables. Have tried it out using different customers'
>> usernames/passwords, and when I do, I can view only the databases specific to
>> a
>> certain username/password. A web interface to the mysql databases, too, will
>> allow me to work with only a specific database when using customers'
>> usernames/passwords. Is this what you refer to above?

MB> Yes absolutely,
MB> This solution will prevent customer A to view the databases of customer B.
MB> That was exactly what I wrote before. If you have one customer who would
MB> like to store private data in his MySQL database ( Oink, wrong answer, don't
MB> store sensitive stuff in a MySQL database, without crypting ), I'm sure that
MB> he would not appreciate another personnes being able to peek into his
MB> database.


>> 
>> Am new at this. Have read somewhat about the privilege system, but would
>> appreciate your views about the safety of how I've set this up. Only root can
>> create databases and has all privileges. Each database gets a
>> username/password. Users have only the first six privileges. Have also set up
>> a
>> simple web interface for customers to use to manipulate the tables in their
>> databases. On the log in page, all databases are listed, but further progress
>> depends up which username/password the customer uses. This interface allows
>> only connection to one database, customer specific. Does this setup sound
>> secure to you? Thank you for any comments and pointers.

MB> Personally,
MB> I use phpMyAdmin ( as most of us i believe, since it's an absolute reférence
MB> ), By applying the solution I provided in my previous postings your customer
MB> will dispose of a "secure" database. If you use the advanced authentication
MB> your customers shouldn't even be able to see the other database. Because
MB> knowing which bases are on a machine can be the starting point for someone
MB> to try and hack you. ( The less your people know about your server settings
MB> the better it is for your safety, but don't count on this !!! )

MB> If you wish I can send you the "phpMySQLAdmin" I use in  our standard
MB> set-up. But therefore please contact me off-list.

>> 
>> Regards, Nell Bolen
>> nell@xxxxxxxxxxxxxx
>> 
>> 

This is slightly off-topic but I thought people might be interested.
After using phpmyadmin for quite long, I switched to mysqlFront (
http://www.anse.de/mysqlfront/ ) which is a free Windoze application .
I do my work with mysqlFront on a local server and just secure-copy a
dump to the production server where I upgrade the database with mysql
commands through SSH (I use a script in my ssh client so all this is
just 1 click away). It seems to me that using phpmyadmin on a
production server is quite a risk unless you access it via SSL (but
I'm a newbie so I might be wrong).

-- 
Regards,
 Pierre                          
 pierre@xxxxxxxxxxx