Create Mysql database?

Re: Create Mysql database?

On Fri, 11 May 2007 16:42:23 +0000, harvey wrote:
query = "create database fred;";

Re: Create Mysql database?

In article <pan.2007.05.11 .16.45.46.76357 0@you.now>, annoyed@you.now
says...Oh god is it really that simple - this must be my day
for asking dumb questions.

Thanks for not lauging at me... at least not in public !

Re: Create Mysql database?

On 11 May, 17:52, harvey <harvey....@blu eyonzders.comwr ote:remember though that it's considered good practise not to have php
use root, give php too many permissions and it will only be time
before your hard work comes back to haunt you, instead get use
to creating the db using the mysql command line (or some helpful gui)
and then immediately create a new user which has rights over this
database, and plug that into the php scripts that use that db,
limiting potential for disaster.

Re: Create Mysql database?

In article <1178903815.663 966.110230@y80g 2000hsf.googleg roups.com>,
matt.farey@gmai l.com says...hmmm... I can see that this is likely to get very complicated very
quickly.

My difficlty is I am at the learning stage with PHP and mySQL but I'm
doing this to try and automate the procedures for someone who knows even
less than I do. I need it to create the database and tables and
then update the tables for him from forms in his browser -

I can do most of it but the PHP/Mysql is new to me as I said.

I've bought the Samms PHP,MYsql and Apache - All in One book and am
working through it to get this done but it tends to gloss over
or even ignore the really important stuff such as that you just
mentioned. I'm reasonably Linux oriented so most of it makes sense but
where issues don't arise at all I can miss them. (I'm not at all
impressed with most of the books I've seen I must admit but this one did
seem the best)

Do you have any advice for me on using PHP to create the database appart
from not doing it? (I suspect he doesnt have root access on his web site
either so I'm guessing he needs to use his own ISP provided access - he
does have the mySQL admin package but not the skills to use it -)

Is there anything I can do to limit the problems of creating the database
in PHP? I really don't want to try and get him to do anything manually.


Thanks again.

Re: Create Mysql database?

On May 11, 10:39 am, harvey <harvey....@blu eyonzders.comwr ote:


Many programs have a "database setup" script that asks for the MySQL
root password and then creates the tables and users for the main
program to use later (the db 'user' it creates has limited
functionality so it cannot mess with other databases or create/delete
tables.) It never records the root PW, once the MySQL users and
tables are done it utilizes only the limited accounts it created.
(probably only requiring root PW later for major upgrades)

Re: Create Mysql database?


"harvey" <harvey.zzz@blu eyonzders.comwr ote in message
news:MPG.20aeaf d1f4fe2e7d98999 a@news-text.blueyonder .co.uk...If MySQL was already installed, running, and configured in your PHP setup,
then you should be fine. If you see permission errors though, you might need
to check up on the permission settings in your MySQL setup.

If you do need to, I'd check the MySQL documentation
(http://dev.mysql.com/doc/) on "user account management" to make sure your
username and/or network location (IP address, localhost, etc.) are
configured for access.

Tom
--
Newsguy.com
90+ Days Retention
Higher levels of article completion
Broader newsgroups coverage

Re: Create Mysql database?

On Fri, 11 May 2007 10:16:55 -0700, shimmyshack wrote:
Just think of PHP as your front end to your SQL server... anything you can
do in standard ANSI SQL you can do with PHP.
PHP/Apache/mysql/etc should never run as root and never have to. There
should be no correlation between the accounts used by your public apps and
the system accounts on the box.

That's a fine solution unless you're creating databases dynamically...
which is the only reason I can think of to create a DB with a web
application in the first place.

There is a simple solution however. Control the rights of the web app
using your mysql install. I have one user that has read-only access to the
databases for use when doing look-ups, one user that I grant write access
to the databases for operations that need to write to the database and one
with access to create databases.

I set the default user for my connection to the read-only account and have
to purposefully change the account being used if I want to do anything
other than just read.

You can't inject SQL if the account you're using doesn't have rights to
write to the database.

Re: Create Mysql database?


"harvey" <harvey.zzz@blu eyonzders.comwr ote in message
news:MPG.20aeba e984edb64e98999 d@news-text.blueyonder .co.uk...Its actually quite easy. I too haven't done much in it but I'm pretty much
able to do all basic database stuff I need to.

Essentially you first log into the database using a function, create a sql
query string(which is probably going to be the hardest part but it too is
quite simple once you get over the mental block), and then query the
database with another function.

for example, heres a query for my database to check some stuff

$query="DELETE FROM ips WHERE ip='".mysql_rea l_escape_string ($RMADDR,
$ldblink)."';";
$result = queryldb($query , $ldblink);


function logonldb($datab ase)
{
$user="login";
$password="pass word";

$link = mysql_connect(' localhost', $user, $password);
if (!$link) { dberror("Connec tion Error!"); }

$db_selected = mysql_select_db ($database, $link);
if (!$db_selected) { dberror("Databa se Error!"); }

return $link;
}


and I use loginldb to log into the database and return the link that is used
in the calls. You also have to log out with somethign like


function logoffldb($link )
{
mysql_close($li nk);
}



the query function is defined as

function queryldb($query , $link)
{

$result = mysql_query($qu ery, $link);
return $result;
}

also, if you are to get a result then you want to convert the query call
into an array using something like the following

if ($result != false) { $row = mysql_fetch_ass oc($result); if ($row ==
false) { unset($row);}} else unset($row);


My wrappers are kinda unnecessary but hopefully you can see how basic it is.
Its just a few function calls and a little bit of setup(query string and
result conversion).


Its much easier than I ever expected and was a relief.

Jon

Re: Create Mysql database?


"Jon Slaughter" <Jon_Slaughter@ Hotmail.comwrot e in message
news:Yx31i.5528 $H_.1648@newssv r21.news.prodig y.net...BTW, the mysql_real_esca pe_string is used any time the data your sticking
into the database might be used for sql injections. This is where they can
mess whith your query to change it to something else and screw up your
database or get its data. I just wrap it around every variable that I use
just incase.

Re: Create Mysql database?

>I set the default user for my connection to the read-only account and haveThere are plenty of people who would love to inject
select * from credit_card_acc ount_list;
even if the account you're using has no rights to write to the database.

Re: Create Mysql database?

harvey wrote:Harvey,

Other users have given you great advice. The only caution I can add -
many shared hosting providers don't allow you to create databases except
through their control panel.

Of course, if this is your server, that isn't a problem.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: Create Mysql database?

On Fri, 11 May 2007 23:02:45 +0000, Gordon Burditt wrote:
Obviously I was speaking of injections to cause data corruption.

Anyone stupid enough to use credit_card_acc ount_list as a table name
deserves to go out of business.

Re: Create Mysql database?

On May 15, 4:24 pm, Ivan Marsh <anno...@you.no wwrote:one may gather all the data in a database by blind injecting a query
which asks "true or false" questions. Subtle bahavioural changes in
the app (timings of response, etc...) can lead to knowledge of the
result, without the need to receive error messages back through http,
this prevents WAFs, logs and so on from discovering the existence of
the attack until it has successfully obtained all the info from the
database, "is the first letter of the first table in the database
greater than m?" etc.. etc...
this thwarts security by obscurity, such as calling the credit_card
table something like image_data_for_ banner_adverts. ...

Re: Create Mysql database?

On Tue, 15 May 2007 09:46:52 -0700, shimmyshack wrote:
That being true is it not still more difficult to guess something that's
randomly generated or something that has meaning?