Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: Basics: CGI MySQL security

by OfficeLinebacker (Chaplain)
on Oct 12, 2006 at 14:02 UTC ( [id://577841]=note: print w/replies, xml ) Need Help??


in reply to Basics: CGI MySQL security

Hi. I just wrote a very simple application that uses SQLite. I don't know how much crossover there is, but what I did was create the db as myself, set the perms of the directory it's in to 600, and then added the web server account as rw to the ACLs of the directory and file. The script itself checks the user's identity by using the REMOTE_USER env var. Having a .htacc file in the same directory as the script limits anyone not in a certain security group from even accessing the application. So basically you can't even see the page unless you're logged in and cookied, but that's transparent to me cos that's just how the web server is set up. I also locked down permissions on the directory the script lives in so no one can look at the code. The residual risk is someone who also has privileges to write CGI scripts writes a program to access the database, and in my org. that's apparently OK since there's a vetting process for programmers to get CGI script writing privileges, and it would take a lot of concerted effort and some luck.

Does that make sense?

_________________________________________________________________________________

I like computer programming because it's like Legos for the mind.

Replies are listed 'Best First'.
Re^2: Basics: CGI MySQL security
by jfrm (Monk) on Oct 12, 2006 at 21:28 UTC

    This is very helpful thanks. You see I didn't even know about this REMOTE_USER env var but now you've mentioned it, this gave me something to home in on.

    I have now managed to find several pages of the sort that I needed to read, giving me the basics. In particular, for the record, this page is excellent.

    So the answer seems to be that the choices are either to authenticate using basic http authentication or via cookies. Cookies means doing some of the authentication work myself and from my perspective is therefore to be avoided. http has some pitfalls but they can be worked around. Having authenticated, I can use the REMOTE_USER variable in my script and using the ideas of mapping to roles above can then get my scripts to display different things according to the role being used.

    That is good enough for the basic effort I have in mind but of course I will also take note of the advice given above on SQL injection and user paranoia.

[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://577841]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (3)
As of 2024-04-25 23:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found