Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: Database: MySql
 Security issues with connection string.
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

marckmcgill
Junior Member

Italy
134 Posts

Posted - 29 January 2010 :  04:04:11  Show Profile
Hello everybody. As said in a parallel topic, we're converting from Access to mySQL so I'm quite new to anything implied with the use of mySQL.

I set up the connection string for mySQL and stuck open-mouthed when I saw that the username and password for the entire database has to be written in clear into the connection string.

I'm not an expert of the matter, but isn't this an open door to phishers? Can't everyone read that portion of ASP code and simply copy the username and pass of the entire database and then do whatever they want with it?

I think I'm missing something important here. Perhaps the user specified in the connection string should be restricted to only some read/write permissions and be different from the "main" user of the database?

Thank you.

Edited by - marckmcgill on 29 January 2010 04:06:41

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 29 January 2010 :  04:17:46  Show Profile  Send ruirib a Yahoo! Message
Asp files can't be downloaded from the web. If someone has access to the connection string, that would mean your web server had been compromised and you would have bigger issues to deal with.


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 29 January 2010 :  04:29:13  Show Profile  Visit HuwR's Homepage
quote:
Perhaps the user specified in the connection string should be restricted to only some read/write permissions and be different from the "main" user of the database
This really should be the case regardless of whether someone could read the asp config file or not, it is never a good idea to give a database user for something like a forum the same rights as the user that you created the tables with etc. Unfortunately with hosted websites it is not allways possible to have more than one user.
Go to Top of Page

marckmcgill
Junior Member

Italy
134 Posts

Posted - 29 January 2010 :  05:24:24  Show Profile
quote:
Originally posted by HuwR

quote:
Perhaps the user specified in the connection string should be restricted to only some read/write permissions and be different from the "main" user of the database
This really should be the case regardless of whether someone could read the asp config file or not, it is never a good idea to give a database user for something like a forum the same rights as the user that you created the tables with etc. Unfortunately with hosted websites it is not allways possible to have more than one user.

Thanks for your replies. This is actually possible in my case, so which read/write permissions must be left to the user specified in the connection string in order to improve security at its maximum but still allowing the forum to work?
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 29 January 2010 :  06:44:25  Show Profile  Visit HuwR's Homepage
what is actually possible in your case? that anyone can open your config.asp ?

the user would require select/insert/update/delete permissions on the forum tables, they should not be able to create/drop or alter the table structures

if the tables were created by a user other then dbo, then you may have to tweak the table prefix in config.asp to include the schema name
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 29 January 2010 :  07:10:39  Show Profile  Send ruirib a Yahoo! Message
Huw, in MySQL they don't use schema names. In my experience with Snitz, I think only once when a forum was hacked I saw a table being dropped. So, yes, if possible, use two users, one to create tables and do any mod required changes and then another just to be able to read / write table data. No meaningful change though, as if someone does hack into your forum, they can still erase data by using a DELETE command instead of a DROP...

Specifying the connection string in the page (or a config file) is done in all dynamic web scripting languages I know - VbSscript / ASP, the several .net supporting languages, php, etc. One way to avoid that would be to use an ODBC data source, but that can lead to slower performance and no real security advantages, as deleting all records from a table will still be possible.


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

marckmcgill
Junior Member

Italy
134 Posts

Posted - 29 January 2010 :  10:14:22  Show Profile
quote:
Originally posted by HuwR

what is actually possible in your case? that anyone can open your config.asp ?
To have more thank one user.

Thanks for the replies, I actually couldn't figure that reading the content of an ASP code from the outside was so hard. I will eventually set up two users anyway. Thanks for clearing it out!
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.11 seconds. Powered By: Snitz Forums 2000 Version 3.4.07