can i connect multiple users with a user name and password on a single port with Mysql server
if not then what is the best approach to do this
help required
regards.
it should work fine. It is the normal usecase of a SQL Server.
It all depends on how your Server is set up. If you chose to let two people share the same creedentials consequently they will be able to both access certain data.
Related
Every time I add an user, it gets duplicated to all virtual hosts. I've been facing this issue for a while and found a way to solve it, see this post, it says I have to configure a separate database to each virtual host.
What I can't understand is why Ejabberd has this default behavior in first place, what is the benefit to do so?
And what about mod_mam? How do I configure it to store each message into its own database?
My ejabberd.yml (mod_mam configuration at line 113)
Thank you. :)
and found a way to solve it
Since recent ejabberd versions, you can use the new SQL schema, and configure ejabberd to use it, see in
https://docs.ejabberd.im/admin/configuration/#relational-databases
What I can't understand is why Ejabberd has this default behavior in
first place, what is the benefit to do so?
One possibility is the saved space for very big servers. Of course, when having many small servers, it's preferable to use one single database.
And what about mod_mam? How do I configure it to store each message
into its own database?
It's the same with this module than with the other ones: if you configure it to use 'sql' storage, and you configured ejabberd to use a certain database for host "example.net", and a different one for "example.com"..., then mod_mam will use the correct SQL database to store the MAM messages depending on the user that wants to store them.
Se the first and second example configs in section https://docs.ejabberd.im/admin/configuration/#virtual-hosting
On the other hand, if you use the new SQL schema, you only define one database, so those doubts do not appear.
[also asked in https://github.com/processone/ejabberd/issues/2752 ]
I am writing a multi-user-application in Delphi (Object Pascal).
I want to use either MySql, Oracle or PostgreSQL as database.
I have a table Users with a username and password column.
(I do not want to have seperate DB logins for each user)
Of course the application itself has to connect to the database and authorize users by the entered username and password combination.
Software like SAP, Sage or Social Networks would use the same approach, i would guess?
So the application has to know a DB login username and password to connect to the database and then check the Users table.
My question is:
Where do i save the DB login username and password for the application so it can check the Users table?
I do not want to hardcode it in the application as it can be easily accessed by reverse engineering and then used to directly connect to the database.
Honestly, your best approach is to follow best security practices around your server. You could use a salt, but the hash function will have to live on the server, too, and if a hacker has access to the server in the first place then it won't be long before they find the hash and pull the password.
I think efficient organization actually produces some security through obscurity. That is, put the DB connect credentials and string in a config file. Still, access to the application code will give a hacker the clues to get what they want, but it doesn't mean you shouldn't follow best coding practices.
Then, lock down your box. Work with your security team to make sure it isn't accessible by anyone they don't want accessing it.
Here's my situation: I have a file, homepage.php, that I want to allow my customers to host on their servers. homepage.php needs to somehow get information from my database, but I don't want my customers to have full access to my database. What's the best way to do this and how can I make it work?
I tried to do it by including the line:
require( "http://www.mydomain.com/connect.php" );
in homepage.php but I'm not sure if that's the right way and also, it gives me an error.
What error does it give you? Also that won't work because your server parses the PHP and send back the result, rather than including the source code like you want.
Easy solution
Have a read-only account, and give those details out to your customer's pages.
Then they can set up the mysql connection with the IP/exposed port of your mysql server and log-in from there.
Better solution
Have accounts for each customer, so privileges can vary accordingly, otherwise same as above.
Best solution
Expose access via a SOAP service. If you have enough customers and they're developing with you, an API is invaluable.
Without the warning it is hard to troubleshoot the connection issue although I bet it might have something to do with it looking at localhost versus the IP of the machine where the database resides.
The best solution is to have an ini file that has the username and password in it for each individual customer and have the connect.php file look for the ini file on that customers local webserver. You can then configure the priveleges for each account to have only select access to certain tables, or update priveleges to certain users, etc.
Also if your customers will be building their own code around yours, developing a SOAP service might be useful.
We need to deploy application(developed by Java) WAR file in client place which make use of MySql 5.0. But we would like to restrict the client (the application owner, not the webpage visitor) from modifying any data in the database. Is there any way to protect data. The client can make use of the application but they should not be able to change any value in database. How to do that?
Manage Role/User permissions
Create an sql user (you should already have one), which will have only SELECT permission. So it would be something like
GRANT SELECT ON db_base.* TO db_user#'localhost' IDENTIFIED BY 'db_passwd';
http://kb.mediatemple.net/questions/788/HOWTO:+GRANT+privileges+in+MySQL
http://blog.wl0.org/2010/01/managing-mysql-grants/
http://www.ntchosting.com/mysql/grant.html
Check links below for further reading
FOR MySQL
Best Practice for Designing User Roles and Permission System?
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.devshed.com/c/a/MySQL/MySQL-User-Account-Management/
Can't set permissions on MySQL user
http://www.aquafold.com/d7/docs/BD5C99E4-3B55-C812-8318-6338A9A89ED9.html
FOR SQL Server.
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm
http://www.sql-server-performance.com/articles/dba/object_permission_scripts_p1.aspx
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html
http://www.databasejournal.com/features/mssql/article.php/2246271/Managing-Users-Permissions-on-SQL-Server.htm
This is impossible; if you deploy the application at the client, he will have the credentials and will be able to log into the MySQL database and pretent he is the application. And thus he can make any change to the database that your application can.
The only way to solve this securely is to make a tier between the client and your MySQL database, and make sure that you control this so that it is only possible to make 'legal' changes.
Just write the code accordingly so that the user doesn't have any chance to modify the database? I.e. the code doesn't execute any INSERT or UPDATE and/or controls the access based on a login/role.
I honestly really don't forsee any problems here, or the code must be prone to SQL injection attacks.
Update: The above answer is actually irrelevant since the question is clarified. Turning into Community Wiki.
How do I check if a user/password pair works without actually making a connection to the database?
The DBMS in question is MySQL.
That was my original question. Since most people get this question wrong, then I should rephrase it as:
How do I check if a MySQL username/password is valid, without connecting to MySQL as that user? (thanks to derobert)
I actually found a solution, check my answer below.
If you want to check if a MySQL username/password is valid, without connecting to MySQL as that user, then you should take a look at the the users table in the mysql database.
But I'd recommend not doing this; that is really an internal MySQL implementation detail, and you really shouldn't depend on it. (e.g., what if MySQL gets LDAP auth someday?)
I think this question is open to interpretation. Most people will jump in and say "You can't.", but if what you are actually asking is "How do I use MySQL to authenticate a user but not actually use the database?" then that's a whole different ball game. Take a look at mod_auth_mysql, an Apache module which does exactly that. If we had more details on what exactly you were trying to do, folks might be more forthcoming.
Login as someone who has access to "mysql" database (schema), and do:
SELECT COUNT(*) FROM MYSQL.USER WHERE USERNAME=? AND PASSWORD=PASSWORD(?)
If the count > 0 then the username/password is correct.
If the username and password are stored in the database, then there's obviously no other way to check them other than to connect first.
The best you could do is perhaps only connect to the DB when they log in. Once they're authenticated, you could store some form of session information on disk, but it's not a great solution.
In short - not posssible if the userid/password are stored in the database.
Authentication basically means that you compare the response to a challenge with known values. If you do not have the values to compare with , you cannot authenticate.
One possible solution would be to devise some sort of scheme where the username/password are an encryption/decryption key pair. Obviously, this would be more feasible in an assigned username world, but such a policy would allow you not to hit the database if that is the primary objective.