nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   Software Development (http://www.nvnews.net/vbulletin/forumdisplay.php?f=53)
-   -   Mysql Remote Access (http://www.nvnews.net/vbulletin/showthread.php?t=84882)

fivefeet8 01-23-07 02:41 PM

Mysql Remote Access
 
When you connect to a remote Mysql Database using a PHP script located on another webserver, does the database recieve information about the other webserver's IP, or does it recieve the user's IP.

For example, a PHP script will be accessing 2 databases to retrieve data and display it to a logged in(using sessions) user. 1 database will be local to the script, but the other will not.

Is it possible to permit access to a remote mysql database by only where the script is running from?

evilghost 01-23-07 02:48 PM

Re: Mysql Remote Access
 
PHP is server-side, as a result the connection to the remote MySQL server will be made by the PHP webserver, not from the HTTP REMOTE_ADDR.

I'd just an iptables script to block access.

Assuming you're default INPUT policy is ACCEPT and mysql is listening on TCP 3306:

iptables -A INPUT -p tcp --dport 3306 -s ! PHP_webserver_ip -j DROP

Assuming you're default INPUT policy is DROP and mysql is listening on TCP 3306:

iptables -A INPUT -p tcp --dport 3306 -s PHP_webserver_ip -j ACCEPT

fivefeet8 01-23-07 02:58 PM

Re: Mysql Remote Access
 
Thanks. That makes it a bit easier to secure the remote Mysql Database. So does that mean that anyone logging in to the webhost running the PHP scripts will be able to access the remote mysql Database? From the sound of it, it should right?

evilghost 01-23-07 03:04 PM

Re: Mysql Remote Access
 
Quote:

Originally Posted by fivefeet8
Thanks. That makes it a bit easier to secure the remote Mysql Database. So does that mean that anyone logging in to the webhost running the PHP scripts will be able to access the remote mysql Database? From the sound of it, it should right?

They will have rights to connect to MySQL on the protocol/service level but will not have rights to the database unless they are authenticating with the same database username/password. Access to MySQL database objects (databases, tables, rights, etc) are controlled by the MySQL GRANT statement.

Basically, it's two methods of security.

1) Port security, only permit the web host to connect to MySQL. This keeps the script kiddies at bay and is good security.

2) Actual MySQL authentication.

fivefeet8 01-23-07 03:10 PM

Re: Mysql Remote Access
 
Thanks again.

evilghost 01-23-07 03:13 PM

Re: Mysql Remote Access
 
Quote:

Originally Posted by fivefeet8
Thanks again.

Glad to help :)

sm0ke 03-09-07 03:17 AM

Re: Mysql Remote Access
 
well, this is a bit besides the thread topic, but the default policy should always be DROP, followed by adding ACCEPT rules.


All times are GMT -5. The time now is 11:58 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.