https://www.webmaster-forums.net/crss/node/1036497 en https://www.webmaster-forums.net/web-database-development/plesk-encouraging-god-users-mysql-horrible-database-practice#comment-1210254 <p>I think both of you are well ahead of the curve. You would not believe the things <strong>I SAW</strong> customers do while in the hosting business. I am talking about seriously amateurish implementations that just screamed "hack me."</p> <p>Yesterday, I had the pleasure of sitting in on two talks on web application hacking by one of the authors of <a href="http://www.amazon.com/Hacking-Exposed-Web-Applications-Second/dp/0072262990/" class="bb-url">Hacking Exposed Web Applications</a>. He demonstrated a bunch of scary stuff with blind SQL injection, cross site scripting, and good-old-fashion recon-and-exploit.</p> <p>A few points about databases:</p> <ol class="bb-list"> <li><strong>Most </strong>web applications are exploitable</li> <li>The entire database can be extracted through a single injection spot even when error reporting is turned off (look up Blind SQL Injection)</li> <li>It does not matter which database server or programming environment you use, they are all vulnerable.</li> <li>Always pay attention to what you put in your URLS. That is where attackers first look for weaknesses.</li> </ol> <p>Frameworks help when used properly as they can be fixed much like an operating system can be patched to close a vulnerability.</p> <p>By the way, be sure that you <strong>have no web accessible</strong> web logs or analyzed statistics. Information that is accessed the least is very valuable as they often point to administrative interfaces.</p> <p>Frank</p> Thu, 09 Nov 2006 13:25:43 +0000 FrankR comment 1210254 at https://www.webmaster-forums.net https://www.webmaster-forums.net/web-database-development/plesk-encouraging-god-users-mysql-horrible-database-practice#comment-1210063 <p>For the pregam I wrote, I also have 3 users. one that is read only of general information, one that can read/write user databases once they are loged in, and one for only during signup/maintenance scipts (to create new databases for new users, to archive and delete databases from users that have been expired 6 months, etc). Then we also have full access one that is not used by the program, either used SSH in or using phpMyAdmin on the secure side of our server.</p> <p>-Greg</p> Mon, 06 Nov 2006 14:19:56 +0000 Greg K comment 1210063 at https://www.webmaster-forums.net https://www.webmaster-forums.net/web-database-development/plesk-encouraging-god-users-mysql-horrible-database-practice#comment-1210018 <p>I certainly don't use Plesk to configure MySQL access! We use Plesk on this site (not through choice) and we do not like it at all. It's very restrictive and assumes far too much about what you're trying to do. I think what you've pointed out is a good example of that: because users are obviously too stupid to control permissions themselves!</p> <p>Personally I just SSH into the server and type mysql -ublah -p then enter SQL manually. There are some good tools from MySQL for managing databases remotely (if you don't like/don't have access to SSH): <a href="http://dev.mysql.com/downloads/gui-tools/" class="bb-url">http://dev.mysql.com/downloads/gui-tools/</a></p> Sun, 05 Nov 2006 20:38:49 +0000 JeevesBond comment 1210018 at https://www.webmaster-forums.net