1

I'm building a php system that adds and deletes users in mysql. It's currently set up like so: - user attempts to log in to site - looks up username and hash(sha256, salt, password) in projectdb.users (which is also a mysql users credentials) - finds it and then uses that username and password to do any mysql_connect's while logged in

So when I add a user in the system I'm adding their credentials to a table and adding them as a mysql user with minimal permissions only on the projectdb database.

But when I add an admin account I'm giving them full permission to that db and giving them mysql grant/add user permissions so they can add more users. This seems like too much power, even though these users can't directly connect and log into mysql (but if they could they could add anyone).

Instead of actually adding mysql users to the system is it better to hard code a single user and admin's permissions in the php files? Is there a safer way than those two ideas?

Matt_
  • 43
  • 1
  • 7
  • 2
    If this is a web app, why are you adding them to the MySQL users at all? Is this for logging? I can't see programmatically adding users as a good practice without a really compelling reason. – AlexC Feb 13 '12 at 03:19
  • you know every user can share one mysql user set of credentials? –  Feb 13 '12 at 03:20
  • 1
    Database connection credentials are commonly stored with the application code, and it is quite unusual (for a web app) to associate application users with individual database accounts. – Michael Berkowski Feb 13 '12 at 03:21
  • @AlexC, this should be posted as an answer. It's the right one. – davidethell Feb 13 '12 at 03:22
  • @davidethell I took your suggestion to heart. Thanks. – AlexC Feb 13 '12 at 03:30

2 Answers2

5

If the user is not accessing the database directly, you don't have to give them the grant/add user permission directly.

Most CMS implements a permissions table that will allow the PHP code to check if the user has the proper permissions to perform a certain action. As such, your PHP code can simply check to if the logged-in user has the permission set by the permissions table, then have an actual admin user (i.e., root) create the user itself. It is more roundabout, but gives slightly more fine-grain control by creating an extra layer upon that permission structure.

seeming.amusing
  • 1,179
  • 1
  • 8
  • 18
  • yeh that's what I've been thinking, but then what is the safest way to grab an admin mysql users permissions? Do I just put them inside the php file? I know that php code is all processed server side but if someone managed to save the php files they would see the username and password. – Matt_ Feb 13 '12 at 03:57
  • Just had a look around and found some good answers to my comment above, I think I'll use the .htaccess file method to protect the password. Thanks all. [how-to-secure-database-passwords-in-php](http://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php) – Matt_ Feb 13 '12 at 04:34
2

Per David's suggestion... If this is a web app, why are you adding them to the MySQL users at all? Is this for logging? I can't see programmatically adding users as a good practice without a really compelling reason. This is usually abstracted on purpose and to minimize risk.

AlexC
  • 1,091
  • 13
  • 25