guys!
I need to ask you a question... I'm mew in programming business and if this question seems silly, please indulge me.
I have a little site where people have to register in order to post something. So I register every user in the database. I log into the db with:
$pdo = new PDO("mysql:host=localhost;dbname="MY-DB", "My-USER", "My-password");
The question is: when I log into the databse to do whatever operation I need (select, update, delete, insert) how many users ("MY-USER") should I create to login to the db ? Should I create one db-user for every users that registers on my site, or one one single user is enough to do the operations ?
Thanks.
In normal situations you should have additionally to a root user, which can create new databases and add new users, you should create one user per application which is accessing the database, so that a bug in one application wouldn't affect another.
In your case this means to have 1 additional user for your web application which has all permissions on one mysql-database and can create the necessary tables as well as read / modify data in those.
You should not use mysql as your user manager, instead create a table with the users, their (hashed) passwords, ... and manage them in your application.
Related
I have a database setup online where I take user registrations and provide them a pass to enter the event ( people gathering), Now at the event I also have to perform user registrations, situation is internet is not always stable at the event so I am considering to setup database offline, I found some guides on mysql replications but not getting full picture if its possible the way I want.
At the event I will setup database at my localhost and register users offline, also take new registrations online ( on other server hosting a copy of same database online), users table has an autoincremental index which is going to be a huge problem to sync both databases using mysql replication, when both servers will add a record to the same table ,it will assign the same index id to both databases. Is there something I can do to avoid this issue.
Well, master-master replication does exist, and may suit your purposes, but it has some drawbacks.
I think you should consider taking registrations in a different form when on-site, then insert them into your main database when you get home. This is a pretty common way to do things.
If you really need to it with MySQL, come up with a "merge" tool that can re-create the users created off-site, on demand; as you pointed out, you'll need to account for different auto-increment IDs, but that's not necessarily an actual problem. It just needs to be dealt with.
If your primary concern is that you have 2 systems that need to generate id that are unique from each other without coordination, there's a couple of things you can:
Use auto_increment_increment and auto_increment_offset. Simply put 1 of your 2 servers might use even id's and the other one odd ones.
Use a different key, maybe a natural key (email address?)
Use something like a UUID (or GUID if you're in the microsoft world. They're really the same thing).
you can dump the database from server to local from terminal like below.
Run command : mysqldump -h hostname -u username -ppassword databasename > C:\path_to_file
I'm tasked to work on a web based SQL simulator much like what can be found on SQL Fiddle or the one on W3Schools' SQL Tryit editor. Here are the requirements for the simulator:
Multiple Students will be using the simulator at the same time.
The teacher should be able to see or track their changes and queries.
DDL should be included (e.g, CREATE, ALTER, DROP DATABASES & TABLES), of course certain privileges are enforced as to not ruin the database.
And also a simulation using MySQL directly obviously won't work. So, to anyone who has a suggestion on how to go about doing this, that would be awesome.
Hmmm quite a difficult task you got there...
I would try an approach like this:
Create a sample database with some entries and tables based on the task for the students
Whenever a students logs in and starts the task, copy this sample database for this specific user
Create an input field for all MySQL commands in your view and an execute button
Whenever the student clicks on execute: log his input and maybe the current database state to a log and execute the command on the database created for the user and return the return values you get from MySQL (errors, messages or selects) to the user
This approach is easy and reliable because the student can't harm another database besides his own (provided the database rights are configured correctly) and he can just restore the database from the sample database if he f*cked up.
It should also meet your requirements:
Multiple students can work on it simultaneously: Check
The teacher can track their changes: Check
DDL is possible and the student can't harm anything besides his own DB: Check
So I am currently building a new Wordpress site that has a functionality where users can login and create a business listing for themselves. All of these users are currently using another site of the clients to perform other business aspects.
We are looking at bringing all the sites together in time.
Right now though, I have a user table on the existing site that has login details (username, display name and password among others). I want to grab these details including the MD5 hashed password field and import it into the Wordpress users table?
Is this even possible?
Thanks,
A
It seems most of the data is transferable, you'll need a script or something to make sure all the data from your other website is inserted the right way in your wp_users and wp_usermeta table.
All data you want to save extra for users, can be inserted in the wp_usermeta table as key-value pair.
To make sure users can login into the new WordPress site :
This is possible if you set your security in WordPress using MD5 hash only without using a salt.
You can do this by overwriting wordpress's wp_hash_password() method.
But you are better of letting existing users change their PW, because MD5 is really insecure.
I have managed to find a way to do this. It may be a little backwards, and please correct me if I have this entirely wrong.
I grabbed a SQL dump from the old database using phpMyAdmin of the fields that I needed. I edited the SQL file and adjusted the field names to correlate with the Worpress wp_users table. Then in the new database I used an INSERT INTO command to create the new users.
In Wordpress I then had to assign all the new users a role.
It took the MD5 hashed password and stored it initially in the DB but on the first login it changed the encryption to phpass.
Hope this helps anyone else looking.
A
I have a JSP/MySQL web service where users interact with "processes" -- they can upload data, configure, view reports, etc for a given process. They can also create new processes or run reports that compare several processes.
Currently, the process id is specified in the URL (a GET parameter) so any user can interact with any process. I have been asked to add security and multi-tenancy to this service. For simplicity, let's say each tenant has full access to a set of processes, but processes may be accessible by multiple tenants.
My preferred approach:
Add a user table (PK_User_Id, password_hash, name, etc)
Add an access table (FK_User_Id, FK_Process_Id)
An SSL login page that stores the Tenant_Id in the Session
A process-select page that lets you choose a Process_Id that you have access to, and stores that in the Session
Almost every page will create its SQL queries based on the Session's Process_Id
"Cross-process" pages like Create, Select, and Compare will work off of the Session's User_Id instead
My boss thinks that this is not secure "enough" to satisfy an external code audit. He fears that a wayward developer could still write a query that exposes one customer's data to another, or something.
He wants me to also use ANSI SQL's built in ROLES (the app must stay DB agnostic) to create a db role for each user. The role will detail which tables the role has access to, which rows in shared tables, etc. This way, upon login, the Connection will be "safe" and no developer mistake can possibly cause issues.
Is this possible?
Are there such a thing as DB-agnostic "Roles" that work with MySQL?
Can the roles specify that you are allowed to add rows to a table iff the primary key is 'foo'?
Is my system "secure enough" by industry standards?
Here is what I do for MySQL multi-tenant with a single database to ensure data is private:
Create a mysql user for each tenant
Add a tenant_id column to each table
Use a trigger to automatically put the current mysql user into the tenant_id column on INSERT
Create a view for each table that only shows rows where tenant_id = mysql_user (do not include the tenant_id column in the view)
Restrict the tenant mysql user to only have access to these views
Since the application is using the tenant's mysql user there is no chance that they can accidentally get another tenant's data.
I was able to convert a large single-tenant mysql application to multi-tenant in a weekend with minimal changes. I documented the design here: https://opensource.io/it/mysql-multi-tenant/
use PostgreSQL instead, as it supports real schemas, unlike MySQL
if you have to use MySQL, do the following:
make one mysql user per tenant
add an indexed column to each table, tenant VARCHAR(16) NOT NULL
add a trigger to each table that sets tenant to the mysql connection username ON BEFORE INSERT
create a view for each table that sets WHERE tenant = mysql connection username. DO NOT include the tenant column in the select list
grant permission to the tenant user for views, but not for tables
And now the user can only see their own tenant information.
We had a similar discussion on multitenancy security and handling requests on so question. But in short I think storing tenantID in session is a huge security risk. User can go from one tenant to other and tenantID will remain the same, also tenantID should not be send through url.
Steps:
I want a registered user to be able to insert values into a table.
Those values would only be able to be seen or edited by the user. (a few rows)
I have a registration/login page and insert form page complete and they can add do their respective jobs.
Here's the problem and i realize it probably a super simple answer:
How do I link the registration/login username to the values that I'm entering so that only that username has access to it?
Thanks,
Michael
You can create a MySQL user for each registered user and protect their data at the DB level. That's usually overkill for a web application.
What you probably want here is enforcing data owner at the data access layer. Associate the data to the user and restrict any data queries or updates to that user, i.e. any insert, update, select SQL statements would include the user id as a parameter.