[KLUG Members] database programming question
bill
bill at billtron.com
Tue Jun 22 16:03:39 EDT 2004
On Tue, 2004-06-22 at 15:53, Jamie McCarthy wrote:
> bill at billtron.com (bill) writes:
>
> > Practically speaking, once a MySQL database is created with a
> > couple of logons, I can put up PHPMyAdmin and run major
> > websites without ever again using a shell. That's ease of use.
>
> I worry a bit about PHPMyAdmin...
>
> http://www.gentoo.org/security/en/glsa/glsa-200402-05.xml
>
> That was fixed in February, but since then, there's also been
> a security fix about "cookie hijacking" or something. Best
> if you can make sure your PHPMyAdmin server runs only on an
> internal network, I think...
If anybody but you is using PHPmyAdmin you're crazy. Put it up in such
a way that nobody but you can use it. The point wasn't about db admin
security but capability and ease of use.
> For the record, the "P" in "LAMP" stands for either PHP or Perl,
> your choice. :)
Please, please, not PERL. Been there, done that, ran a whole shopping
cart website with it, still carrying bad memories. It's so hard to use,
everybody uses pre-built scripts. Pre-built scripts may eventually be
compromised, and when compromised will then make a whole lot of sites
vulnerable. Matt Wright's Formmail script is a good example. I had
begun using PHP and it was so easy to just write my own scripts in PHP I
no longer used Matt's Formmail. But, when the vulnerability occured, I
still needed to track down the old pages and change them (to php).
Actually, I remember that I helped an ISP track down a spammer by making
a PHP script to resemble Matt's Formmail script. Instead of being an
open relay it responded "please wait" while PHP e-mailed the sysadmin
with the guy's current IP address. How do you keep an idiot in
suspense?
kind regards,
bill
More information about the Members
mailing list