Skip site navigation (1) Skip section navigation (2)

Re: hacker help: PHP-4.2.3 patch to allow restriction of database access

From: "Michael Paesold" <mpaesold(at)gmx(dot)at>
To: "Jim Mercer" <jim(at)reptiles(dot)org>,"Peter Eisentraut" <peter_e(at)gmx(dot)net>
Cc: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>,"PostgreSQL Development" <pgsql-hackers(at)postgresql(dot)org>,"Gavin Sherry" <swm(at)linuxworld(dot)com(dot)au>
Subject: Re: hacker help: PHP-4.2.3 patch to allow restriction of database access
Date: 2002-09-28 13:57:27
Message-ID: 009201c266f6$fcf11080$4201a8c0@beeblebrox (view raw or flat)
Thread:
Lists: pgsql-hackers
Jim Mercer <jim(at)reptiles(dot)org> wrote:

> as it currently stands, virtual hosts can trample all over other
databases,
> and with the nature of a single uid for all apache/php/libpq proceses,
> they are generally doing it with the same pgsql user.

I haven't followed the whole thread, so perhaps I missed something. But why
not just use password authentication to the database with a different user
for each database? Ok, one has to store the plain-text passwords in the php
files. You have to protect your users from reading each others files anyway;
this can be done.

At least you can set up different users per database, so that it doesn't
matter if the proposed restriction setting is by database or by user.

Regards,
Michael Paesold


In response to

Responses

pgsql-hackers by date

Next:From: Jim MercerDate: 2002-09-28 14:02:36
Subject: Re: hacker help: PHP-4.2.3 patch to allow restriction of database access
Previous:From: Jim MercerDate: 2002-09-28 13:23:34
Subject: Re: hacker help: PHP-4.2.3 patch to allow restriction of database access

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group