Protect local Mysql DB access

Hi,

I just password-protected an intranet site by including a password
authentication script in each page of a private section. The script
checks the login against the mySQL database. Appropriate file
permissions have been set up on the private directory.

My concern is now about protecting the Mysql password. Let's assume I
use Apache to protect the access to this password (<files></files> or
SetEnv in httpd.conf).

In my intranet directory, I have a public folder where I let users put
their html/php files to build their own pages.

How can I prevent a user from creating a php file like this :

$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());

$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());

In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.

Can anyone tell me how I can manage this ?

Thanks !

In article <b7dced84.0406020751.16bdeebf@posting.google.com >, Flier_75 wrote:
> How can I prevent a user from creating a php file like this :
>
> $conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
> or die(mysql_error());
>
> $sql = 'update user set private_access= '1' where username =
> 'myself'';
> $result = mysql_query($sql) or die(mysql_error());
>
> In that way, without knowing the Mysql pwd, any user can finally have
> access to the private section.

Read the MySQL manual on access rights.
Add an account that has only rights on the columns/tables/databases it
should have (Thus excluding thet private_access column in this case).

--
Tim Van Wassenhove <http://home.mysth.be/~timvw/contact.php>

Tim, thanks but if I use an account that for instance doesn't have
access to the columns "private_access" and "user_password", then how
could I do if I want the users be able to change their password from
my php pages ?
These php pages use one and only one $_SERVER['SQL_USER'] account.

Tim Van Wassenhove <euki@pi.be> wrote in message news:<2i6fitFj5dtnU1@uni-berlin.de>...
> In article <b7dced84.0406020751.16bdeebf@posting.google.com >, Flier_75 wrote:
> > How can I prevent a user from creating a php file like this :
> >
> > $conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
> > or die(mysql_error());
> >
> > $sql = 'update user set private_access= '1' where username =
> > 'myself'';
> > $result = mysql_query($sql) or die(mysql_error());
> >
> > In that way, without knowing the Mysql pwd, any user can finally have
> > access to the private section.
>
> Read the MySQL manual on access rights.
> Add an account that has only rights on the columns/tables/databases it
> should have (Thus excluding thet private_access column in this case).