Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security MySQL Configure


gatman

Recommended Posts

(Apologies if there is already a thread or answer to this, but we have spent considerable time searching. Just direct us to docs / thread)

 

What are the preferred settings of MySQL and the Config file for security purposes. The majority of users are setting up the database and software "out of the box". It seems entirely unsecure.

 

Typical Default Example: localhost, root, somepassword

configure.php just mirrors this and is a public document exposed to the world

 

=====================

 

1) Can configure.php be located outside the web server - if so where would this edit occur (we haven't scoured for this yet) ??

 

2) Is there a more appropriate MySQL setting and grant privledges??

 

Example of all permissions:

Grant select, insert,update, delete, index, alter, create, drop, reload, shutdown, process, file

 

Which are necessary by public user?

 

3) Is there a crypt function to the password or something similar?

 

=========================

 

Maybe this would help us all.

 

Thanks

John

Link to comment
Share on other sites

1. Configure.php should be outside the web server by default. Look at the .htaccess in the includes directory. If it is not working, you should port its functionality to the web server configuration or ask your host to AllowOverrides (i.e. look for .htaccess files).

 

2. Yes. Make a new user with select, insert, update, delete privileges on the osC tables and no rights on anything else. Alter, create, drop, etc. are only needed for the original upload (this is why it asks for the details twice: the first time needs the higher privileges; the second time should be the new user). There is a thread somewhere that lists the exact minimum permissions that can be given (on a per table basis).

 

3. This would be of limited utility. Encryption is useful in situations where you are sending data outside of your control. However, you should only connect with the password over secure networks. Thus, your password should never be exposed.

 

Hth,

Matt

Link to comment
Share on other sites

Hi Matt many thanks

 

Unless I am mistaken, by default, our installs have placed includes / configure.php under htdocs.

 

Now that it is there, how would you suggest handling the move and which file(s) to edit? Is is an edit to application_top.php all that's necessary?

 

Yes, the .htacess file is there and blocking with access.

 

We will create a new user with limited grants.

 

Regards

John

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...