I'm trying to build a website that provides a login for users. Once these users login, they will be able to perform functions that will likely query a database. At some point I will need to add/modify/delete contents in the database and I'm wondering how I would be able create a page on the website that I'd only have access to. Ideally I wouldn't like to have a page on my website that allows me to edit information in my database because it could be susceptible to attacks. So how would the experts from stackoverflow create a page to edit information in their database?
get db management software like phpMyAdmin
with login abilities (or utilize the authentication by HTTP server)
Well, create a normal page - but put access restrictions on so that you're only allowed to use it if the logged in account is an administrator. (You define the administrator roles, and make sure you are one.)
You might also want to make sure the page is only served to some known IP addresses - although that becomes a pain when you suddenly want to use it from elsewhere...
Related
I am currently recreating my portfolio, which is powered by a node/express backend. I want to have some pages where I can update/add projects to my portfolio, and I know that I will be the only admin on this site. I want to protect these pages with admin credentials. I think a user table on my database (mysql) is overkill though... is it a good idea to store user/(hashed)pass in process.ENV? I feel like theres a better way.
A database can be anything, text file, sql db, json file, even a variable in your program. A database it's just something which store data.
So, for me, you can without any issues store your credentials in the process.env. The only constraint is that you have to restart your server whenever you wan't to change password and you have to inject yourself the credentials in environement variables.
But if you're already have an sql database in your project, the best way is effectively to use a table User with hashed password. With this method you can change your password without restarting your app (but in your case is this really usefull ?) and if you're adding some users, the system will be already in place (but YAGNI)).
Here is what I'm doing. I will have an online game that is a real exe application that clients run. Clients connect to my game server. They will have stats, achievements, and be able to buy various things for which I will use PayPal IPN service.
When a player wants to log on, I must be able to retrieve their profile and information from somewhere. When a player wins a game, the game server must be able to add a point to their profile.
Users will need to be able to access their stats from the Web Site, or from the game itself.
Would it be a good idea to use the MySQL database that comes with the Web Site for everything. In that, the game server would get and set properties through php or something?
Otherwise what might be a better solution? Is there a way for my web site to use a database that is on the game server machine, if so would that be a good idea?
How is this sort of problem usually solved?
Thanks
Where you put the database doesn't really matter. If you already have one and it can handle the load, use it. But for security and general organization, you should create a separate database and user within MySQL for your game score information. The user should only be able to access the game data database. This way your other data in the data base is protected from your web interface to the game data in case of a PHP or SQL vulnerability.
MySQL is defineatly the way to go. I have a current setup in a folder outside of public html called users, when a user registers a subfolder inside users is created along with a mysql entry. I use MySQL for username/pass/DOB/etc. and the user's folder for storing pics, acheivements in XML, and comments.
As for the client, I'm sure you could initialize a invisible web browser to access the page, and then use simple coding to get data from the web browser.
MySQL is a popular choice for persistence. Load up the profile at login and cache the data on the client. Then write the updates back at the end of the session. This is one of the things MySQL/PHP was made for. It is cheap, easy and performs and scales well.
I have built a website using html and css (in Dreamveaver CS4) on which I would like to create a section that is only accessible to registered users - users would have to submit their email address and create a password to access the area. I am prepared to take the time to learn with tutorials etc, but I'm a beginner with limited ability of html etc, so I would really appreciate some advice on what would be the easiest way of doing something like this - Drupal? JQuery? I have tried searching online for tutorials but I am getting hundreds of different answers using different solutions and would really appreciate your opinions on how to do this in the easiest possible way.
Many thanks in advance :)
Just pick a tutorial for a scripting language that your web hosting supports. PHP is pretty common: http://phpeasystep.com/phptu/6.html
I would suggest using server side scripting for your login.
For this you would need
A place to store user data
A script that can validate the user
data.
Use whatever scripting language your host supports for this.
You can either use a flat file (text file) to store user data by encrypting it in it or you can use a database (best)
You can write a small script that is called when the user logs in and sets the cookie in the browser
In the pages that only logged in users can view, you can add a small piece of code to verify from the cookie, if it validates, display the data or display something like Authorized users only.
This is a very basic functionality but if that is all you want, this should do it.
Well, you'd need a database on the server to store the username/password combinations. That means you'd need some server side language to interact with the database to check for valid username/password combinations, as well as using the server side language to know -when- to check for username/pw (e.g. which page(s) are password protected).
If you're on a Windows server, MS Access is generally considered to be a good starting point for database, but I'd recommend mySQL or SQL Server for the long run.
For language, there's a ton to choose from. ASP, PHP, ColdFusion, etc. I'm a ColdFusion person, so take this with the bias that implies , but I think CF is the easiest for a beginner to learn.
We need to deploy application(developed by Java) WAR file in client place which make use of MySql 5.0. But we would like to restrict the client (the application owner, not the webpage visitor) from modifying any data in the database. Is there any way to protect data. The client can make use of the application but they should not be able to change any value in database. How to do that?
Manage Role/User permissions
Create an sql user (you should already have one), which will have only SELECT permission. So it would be something like
GRANT SELECT ON db_base.* TO db_user#'localhost' IDENTIFIED BY 'db_passwd';
http://kb.mediatemple.net/questions/788/HOWTO:+GRANT+privileges+in+MySQL
http://blog.wl0.org/2010/01/managing-mysql-grants/
http://www.ntchosting.com/mysql/grant.html
Check links below for further reading
FOR MySQL
Best Practice for Designing User Roles and Permission System?
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.devshed.com/c/a/MySQL/MySQL-User-Account-Management/
Can't set permissions on MySQL user
http://www.aquafold.com/d7/docs/BD5C99E4-3B55-C812-8318-6338A9A89ED9.html
FOR SQL Server.
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm
http://www.sql-server-performance.com/articles/dba/object_permission_scripts_p1.aspx
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html
http://www.databasejournal.com/features/mssql/article.php/2246271/Managing-Users-Permissions-on-SQL-Server.htm
This is impossible; if you deploy the application at the client, he will have the credentials and will be able to log into the MySQL database and pretent he is the application. And thus he can make any change to the database that your application can.
The only way to solve this securely is to make a tier between the client and your MySQL database, and make sure that you control this so that it is only possible to make 'legal' changes.
Just write the code accordingly so that the user doesn't have any chance to modify the database? I.e. the code doesn't execute any INSERT or UPDATE and/or controls the access based on a login/role.
I honestly really don't forsee any problems here, or the code must be prone to SQL injection attacks.
Update: The above answer is actually irrelevant since the question is clarified. Turning into Community Wiki.
Is there a way to secure tables in ms access db from unauthorized access? I would like my users to use the forms in the db but i don't want them to see the contents of the tables. I know i can hide a table but anyone who knows just a bit about access can show the hidden tables anyway. I cna also change a name to UsysTableName but again - enabling system tables shows them all. Is there a safer way? Securing by password maybe?
Also in access there are users and groups, and the possibility of granting rights.
You can access this functionality via tools/security/user and group permissions.
You need to create a workgroup information file in order to use this :
see : http://www.databasedev.co.uk/access_security.html
NOTE : Indeed Ms Access is in most cases a poor choice of db. But if you have to keep on using it for one reason or another, learning its security model is imperative in real world apps.
For Access 2003 Understanding the role of workgroup information files in Access security at http://support.microsoft.com/kb/305542/.
For Access 2007 How to use the Workgroup Administrator utility in Access 2007 at http://support.microsoft.com/kb/918583.
In your case, I suggest moving the tables you want to secure into a different database then link to the User-Interface (front end) database. This allows you more control over security. Using a password only keeps non-users out of the database. Logged in users can still see the tables.
One solution is to have your forms on one side (client side) and your tables on the other side (server side). Each user has only a copy of the forms, and the tables are somewhere else on the network.
Another solution is to install the runtime version of access (free to use) on user's computer. In this case the database window does not appear.
Whatever is you choice, you'll have to fully manage access to commandbars, creating you own ones (and forbidding the display of access commandbars).
If you go for the first solution, you'll be on your way to a real client/server structure, and you'll be able sooner or later to switch to SQL Server for your tables (your forms can then stay in an Access client application).
With some limits, it is possible to completely delete the links to the back-end tables in the front-end/app:
During app open, just use ChDir "\\someShare\someFolder" in VBA
As the source of your forms & reports, use SQL SELECT instead of saved queries/tables, using the syntax: SELECT field1, field2 FROM [BackendName_be.mdb].myTable. Note that the path is NOT specified!
This way the forms/reports will work perfectly, without any table (not even hidden) in the app.
If you put the BE in a hidden folder/share and you deliver an MDE, users will have a very hard time finding where the data is.
This technique has the added benefit to allow instant switching of the back-end (like between test/prod).
Access does a very poor job of securing data in tables. Your users NEED access to the tables in order to work with the data, but you don't want them possibly seeing EVERYTHING. You could encrypt the data in your tables yourself on the fly. I talk about this in my Access Data Encryption seminar.