doubledee — 2012-01-21T21:41:43-05:00 — #1
I am using a free web hosting site for my Test Site. (www.byethost.com)
It allows you to create MySQL databases and offers phpMyAdmin as well.
Everything is just about set up, however, I don't know how to find the following...
Database Host Name
guelphdad — 2012-01-21T22:17:48-05:00 — #2
you would use localhost as the host name.
you'd use CPANEL and then Databases (I think it is marked that way). you'd then create a database and then you'd create a user and password for that user and privileges for that user. you'd then assign that user to the database.
you can then use the user/password combo with localhost or 127.0.0.1 as the host name in your scripts.
doubledee — 2012-01-21T22:31:31-05:00 — #3
On my Dev Laptop
SELECT CURRENT_USER( )
On my Free Hosting Account
SELECT CURRENT_USER( )
How does that compare to what you said above?
serverstorm — 2012-01-23T14:24:16-05:00 — #4
guelphdad was saying that in PHPMyAdmin or in CPanel (depending on the way your host sets up the database management) you should be able to created database users where you will create users with usernames and passwords as well as assign database permission for each user.
You are advised to create a user that has only the minimum amount of permissions that your application needs. You will then use this user for the Database user and associated Database password with the local host being 127.0.0.1.
If on your local machine you create the same user as on your host and they both have the same permissions then when you code locally you can simply copy the PHP and upload content to MySql on your host and it will work. As it stands right now you will have to change all your local database connection strings with username and password before you upload them to your host (or edit the database connection strings through the file manager is CPanel).
Hope this helps
doubledee — 2012-01-23T20:07:31-05:00 — #5
Well, your response doesn't answer my original questions, but it brings up another point on which I have always wondered...
They say that "running as 'ROOT'" is a bad idea.
As you can see above, locally my database name and password are 'root'.
1.) Just because my Username and Password are 'root' doesn't necessarily mean that I am running as 'root' in my MySQL database, right??
2.) What would make a MySQL User 'root' (or have 'root' access)??
3.) What User/User-Type are my Users running as when they use my database?
4.) I don't think I understand how a User/User-Type relate to strangers on the Internet accessing/using my database?
Does each User have a User-Type with associated "rights"??
Or is there some "generic" User??
5.) What do I need to do to make my MySQL run in a safer mode?
serverstorm — 2012-01-24T13:56:24-05:00 — #6
Running as root is considered bad practice in Linux as it means if anyone ever hacks the Linux server has full unabashed rights to do all sorts of dangerous stuff, also full root does not challenge when permissions or rights are changed. In Linux (which is most likely the type of O.S. running on your free host) a user normally uses 'sudo' to perform admin functions - in other words they temporarily take admin capabilities for the specific task being performed, but if someone hacks their user then it is typically not as dangerous as root.
The Linux operating system has users and rights which are not related to MySql users and permission. For example a Root Linux user can have no or very limited access to a MySQL database running within its' own system.
To your questions:
You or may not be using a 'lets call it an' admin account on your free host; it depends what database permissions are given to this user:
<font face='monospace'><font color='#993333'>[B]SELECT[/B]</font> <font color='#993333'>[B]CURRENT_USER[/B]</font><font color='#66CC66'>(</font> <font color='#66CC66'>)</font> </font>
b2_12345@% <font color='#808080'>[I]------------------------[/I]</font><font color='#993333'>[B]SELECT[/B]</font> <font color='#993333'>[B]USER[/B]</font><font color='#66CC66'>(</font><font color='#66CC66'>)</font> <font face='monospace'>b2_12345@192<font color='#66CC66'>.</font>168<font color='#66CC66'>.</font>0<font color='#66CC66'>.</font>2</font>
This user could be granted full admin rights, which would be a bad idea to use this database users in your connection information.
A MySql can be granted user permissions, database permissions, and host permissions. A user that has:
- User Permissions:
- Access from 'Any' Hosts (any location remote or local)
- Permission: Select table data, Insert table data, Update table data, Delete table data, Create tables, Drop tables, Reload grants, Shutdown database, Manage Processes, File operations, Grant privileges, reference operations, Manage indexes, Alter talbes, Show databases, Superuser, Create temp tables, Lock tables, Execute, Slave replications, Client replication, Create View, Show View, Create Routing, Alter Routine, and Create User
- Database Permissions: Can access 'Any' database from 'Any' hosts with 'All' permissions
- Hosts: Can Access 'Any' databases from specific hosts (say 172.16.0.172 or myfavouritedeveloper.com) with 'All' permissions
A user with all these permission would have 'Super User' abilities. This is why I said that your 'b2_12345'user may be set with some or all these permissions. You will likely have some control of some of these permissions in your CPanel; although hosts differ in what control they give to you.
Knowledgable hackers can do a number of security driven 'vector' attacks on your php application that can expose your database connection info. If your user has full rights then they can reek all sort of havoc with your database; they could hack your database, or maybe run another MySQL spam database from your account.
There is no 'generic' user in MySQL. The rest of this is answered in Q2
Understand what rights a user needs with your applications and run a user with just the permissions required to run your application. For example, if your application only requires the ability to Select, Insert, and Update then you create a database user with only these rights and use it in your connections string. The other important part to your security is understanding how your host secures MySQL, you might want to ask them what security measures they use. You could research what they told you to ensure they are following best practices and appropriate security measures.
Hope this helps.