[KLUG Members] database programming question

[bill]

On Tue, 2004-06-22 at 15:53, Jamie McCarthy wrote:
> bill at billtron.com (bill) writes:
> 
> > Practically speaking, once a MySQL database is created with a
> > couple of logons, I can put up PHPMyAdmin and run major
> > websites without ever again using a shell.  That's ease of use.
> 
> I worry a bit about PHPMyAdmin...
> 
> http://www.gentoo.org/security/en/glsa/glsa-200402-05.xml
> 
> That was fixed in February, but since then, there's also been
> a security fix about "cookie hijacking" or something.  Best
> if you can make sure your PHPMyAdmin server runs only on an
> internal network, I think...

If anybody but you is using PHPmyAdmin you're crazy.  Put it up in such
a way that nobody but you can use it.  The point wasn't about db admin
security but capability and ease of use.

> For the record, the "P" in "LAMP" stands for either PHP or Perl,
> your choice.  :)

Please, please, not PERL.  Been there, done that, ran a whole shopping
cart website with it, still carrying bad memories.  It's so hard to use,
everybody uses pre-built scripts.  Pre-built scripts may eventually be
compromised, and when compromised will then make a whole lot of sites
vulnerable. Matt Wright's Formmail script is a good example.  I had
begun using PHP and it was so easy to just write my own scripts in PHP I
no longer used Matt's Formmail.  But, when the vulnerability occured, I
still needed to track down the old pages and change them (to php). 
Actually, I remember that I helped an ISP track down a spammer by making
a PHP script to resemble Matt's Formmail script.  Instead of being an
open relay it responded "please wait" while PHP e-mailed the sysadmin
with the guy's current IP address.  How do you keep an idiot in
suspense?

kind regards,

bill