On Thu, Feb 17, 2000 at 11:41:10AM +1030, Mark Ferraretto wrote:
>I don't use MySQL security. This is because it can't provide row-level
>security and can be bypassed using a client that's not mine.
>
>So, access to the database is through a single mysql user who has complete
>rights to the database.
In a way you do use MySQL security, since you're restricting access to
only one user. :) But you're not using MySQL for row-level security,
because it isn't offered.
>The username and password are stored as cookies through the browser. If
>the cookies don't exist (or have expired), a login screen is displayed.
>
>How does this look? The mysql user and password exist in plain text in a
>.php file. Can this ever be retrieved by a user or will apache always
>generate the html when it sees that it's a php file?
As Van said, SSL would be good, so that the user and password (even the
encrypted password) aren't visible on the wire. That plain text file on
your server can of course be retrieved if you grant someone access by
some method. If you mess up your Apache config some time, for example,
or somehow allow someone to read arbitrary files on your machine, etc.
But you can prevent those things by being very sensitive about how you
program and how you do things.
If you have Apache set up right, it will always process your php files
before serving them to the client.
>What are the security implications of using cookies? I have the plaintext
>username in one cookie and the mysql-encrypted password in another.
>Neither cookie is called 'user' or 'password' or something like that.
>I've kept the names cryptic.
You might try using rot13 to encrypt your data. Seriously, though, I
don't put much stock in security via obscurity. It'd be better to use
SSL if you're worried about someone reading cookie info that's passed
on the wire. The implications of using cookies are the same as passing
data in a form, so if you wouldn't put the data in a form element, then
don't put it into a cookie.
Tim
--
Tim Smith < tim@stripped > :MySQL Development Team: Boone, NC USA.
