#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    1
    Rep Power
    0

    Making An Installation


    So, I am making a script that involves the user to go through a site installation.

    I need the user to input there MySQL details in order to connect, but where do I store their MySQL details. I can't store their MySQL details in MySQL itself because when they are connecting to MySQL once they have installed, there is no way the system could connect to SQL because the information is inside MySQL and it cant get the right information to connect.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    you store the data in a file as JSON, YAML, XML or whatever format you like best.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    There's two ways to go about this:

    1) Your script's installation instructions contain copy/pastable commands that the user can paste into MySQL to create you a database, user, permissions, etc. Then your installer script uses that user/pass to create all its tables and lines. This has a security problem in that the password is always the same. You can mitigate that by telling the user to create their own secure/random password when creating the user, then have them put that password manually into a file in your script, or accept it as form input during the next step.

    2) Accept their mysql root username and password (or some other account with create database, create user, and grant permissions) into a form input, then use that to create yourself a database, its tables, your app's username and password, and appropriate permissions. Then discard their credentials and only use your own from then on. This may make people nervous, giving your script access to a powerful database user. However, it also means you can use a random password that's unique to every installation so every copy of your script in the world isn't easy to break into. Many frameworks and CMSes work like this.
    Last edited by ManiacDan; December 17th, 2013 at 09:16 AM.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    No, you never give root access to any script. This allows the script to read or change any data in any database, create "backdoors" etc. No PHP script is that trustworthy, especially if you've downloaded it somewhere from the Internet (as your users will have).

    Instead, do what all current applications do: You ask the user to provide a database and a user with sufficient permissions (CREATE TABLE etc.). And then you create the tables and store the credentials in some text file.

    For extra security, the application user may remove the unnecessary rights after the installation procedure.
    Last edited by Jacques1; December 16th, 2013 at 12:53 PM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo