Update Mediawiki user password using database - mediawiki

How to modify MediaWiki(v 1.15) user password without using the maintenance script, direct to database.

There's a maintenance script to do that:
php maintenance/changePassword.php --user=USER --password=PASSWORD

I did it... manually inserting in database
"UPDATE wikiuser SET user_password=md5(CONCAT('67','-',MD5('pass'))) WHERE user_id = 15"

Related

encrypting password in shell script

I'm running a shell script on a Ubuntu server, the shell script inserts data to my database (I use MariaDB) for the connection I have a database user and the database user has a password. The problem is the password is plain text, is there a way I can encrypt this password, store it in an other file, or another way so no one can read the password when reading the script?
thanks in advance,
mysql -u db_user -pplain_password <<EOF
USE db_name
INSERT INTO table ()
VALUES ();
EOF
Check out mysql_config_editor. This will allow you to create a .mylogin.cnf file which will store the password in an encrypted form. .mylogin.cnf will be used by your script, or other client program, to connect to the database.

How to create a MySQL installation setup script?

I have an application that stores its data in an MySQL database. The application is using a specific DB account with full access, the indivdual user rights are maintained on application level. Apart from root there is no other user with access to that database.
In order to install the application on a computer I need an sql script that creates the database, the application user, all tables without data, views, triggers, stored procedures, etc.
mysqldump --no-data --routines --add-drop-database --databases dbname > sqlfile will do almost all these things but I could not find any option to include the creation of the user having access to that database. Any hints?
The reason that mysqldump doesn't dump user information is because that is stored in a different database name mysql rather than in the database for your applicaation.
You cannot add this information manually to the generated sql dump either. You have two options. Create a shell script or create a separate sql file that contains user creation information. In either case your file will include statements like
GRANT ALL ON appdb.* TO 'pb_skat'#'localhost';
http://dev.mysql.com/doc/refman/5.7/en/grant.html
Before introducing the application dump to your database.
First list down the users which all are available with you:
SELECT User, Host, Password FROM mysql.user;
Check if that user has permissions using "show grants" command to perform the operation, else provide the permissions to do so.
GRANT ALL PRIVILEGES ON . TO 'root'#'localhost' WITH GRANT OPTION
Create the database name where you want to introduce the dump.

Restoring mysql backup without users

I have a confusion actually. While restoring the mysql backups, we generally use this command.
mysql -u username -p password databasename < backup.sql.
I just tried "mysql databasename < backup.sql" and that seemed to work too. So my confusion is, why do we add username / pass and what are the benefits / disadvantages of using / not using it?
If your MySQL doesn't have blank user and blank password then you couldn't able to import the database.
By default- Mysql installation comes with blank username and password in that case you can restore database without username and password only.
But if you have secure installation of mysql, means removed bkank user than you need to pass privileged username and password to restore the database.
While using mysql command for importing database, you can use either full command or skip some of the parameters.
You can also use :
mysql -u username -p password < backup.sql
This will create the database (if your dump have create database command) and import the tables into that.

MYSQL Password Encryption with BCrypt

I'm automating the process of creating WordPress sites with a custom shell script.
Is it possible to encrypt MYSQL passwords with BCrypt for WordPress? If so, what's the best way to approach this?
Snippet:
#!/bin/bash
execute="
CREATE DATABASE IF NOT EXISTS $dbName;
GRANT SELECT, INSERT, UPDATE, DELETE
ON $dbName.*
TO '$dbUser'#'localhost' IDENTIFIED BY '$dbPass';
FLUSH PRIVILEGES;
"
mysql -uroot -p --show-warnings -e "$execute"
With Ruby, I can encrypt it like so:
encryptedPass="$(ruby -e "require'bcrypt';puts BCrypt::Password.create('$dbPass')")"
Write your own WordPress plugin to convert the hashes using BCrypt.
Also, if you plan to go this route, make sure to audit your code thoroughly. I've included two links that have helped me get started down the path and I'm hoping they might help anyone else who's interested in hardening their setup.
http://www.ethicalhack3r.co.uk/greping-for-bugs-in-php/
https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet

How to create a MySQL user without password - needed for remote login - to be used in bash insert script?

My requirement is to create a user for remote login but without a password. At my remote space I use a bash script to do inserts, which is something like:
for i in {1..5000}; do
mysql -h 11.40.3.169 -uUser -pPass -DDatabaseName <<<
"insert into DatabaseTableName values('$i','dummy_$i');" &
echo -n "$i "
sleep 1
date
done
The problem is that each insert is taking almost 4 seconds, and I can not pinpoint the problem to anything but authentication at every insert. So, if I could create a user in MySQL with minimal authentication involved...Something like:
# I'm trying to remove this password
GRANT ALL PRIVILEGES TO 'user'#'%' IDENTIFIED BY 'password';
...Anything you can suggest.
Just remove the IDENTIFIED BY part:
GRANT ALL PRIVILEGES ON *.* TO 'user'#'%'
Note that remote login from anywhere without a password is a very insecure thing. You better limit the allowed IP range for this user:
GRANT ALL PRIVILEGES ON *.* TO 'user'#'allowed_remote_machine'
You can do this by creating a user with a password and then placing a .my.cnf file in the home directory of the account which runs the bash script containing the following:
[mysql]
user=user
password=pass
[mysqladmin]
user=user
password=pass
This might be better than creating a user with no password.
I think your problem lies in the fact that you are starting the mysql client for each insert. You should be doing your inserts from a php, java, etc program - not from a shell script.
The startup time of the client (and connection to the host) is killing you. I routinely do 1000s of inserts per minute from a php or java program to a MySQL database with millions of records on a small (CPU/memory) machine.
It's not so good idea to have a user without password and all privileges. I suggest you to create a user without password but just with some privileges (insert to specific table or specific database).
First off, using a client cnf file on the remote machine running the script wont speed this up. MySQL client is still sending logon information and logging in for each insert, it's just reading.a file for uid/pw instead of using cmd line arguments. AFAIK The network and authentication overhead are identical. Even the network packet contents will be the same.
You should still use a cnf file..
The way to.improve performance is to do multi-line linserts:
MySQL --defaults-file=/some/uid/pw/etc/.client.cnf -e \
"Insert into
tbl_name
('fld1','fld2')
values
('r1-fld1','r1-fld2'),
('r2-fld2','r2-fld2'),
...and so on (up to max_allowed_packet_size)
('r500-fld2','r500-fld2');"
Or READ DATA INFILE on server side after shipping over the data file