[pmwiki-users] mySQL for PmWiki Security . . .
Joachim Durchholz
jo at durchholz.org
Sun Jul 17 12:21:20 CDT 2005
Patrick R. Michaud wrote:
> On Thu, Jul 14, 2005 at 08:08:38AM -0500, Ben Wilson wrote:
>
>>I'm sure this has come up before, but I've not seen any recipe to help with
>>this. I am looking for a way to tie in PmWiki security with a mySQL database.
>>Essentially, we have a forum on our site, and we're wanting to tie a few fields
>>out of the users table (specifically uname/passwd) so we can use the forum as
>>the user-access control.
>
> Sure, it wouldn't be difficult at all -- the tricky part is simply
> providing the configuration information for the database/table/field
> names.
The typical setup would look like this:
local/dbauthconfig.php:
<php if (! defined ('PmWiki') exit;
$dbauth_host = 'localhost';
$dbauth_db = 'user_info';
$dbauth_user = 'useradmin';
$dbauth_password = ' 3z3v3w49dv';
$dbauth_table = 'authentications';
$dbauth_userfield = 'user';
$dbauth_pwfield = 'password';
Since dbauthconfig contains the DB password in cleartext, this file
should have as restrictive read permissions as possible and must not be
accessible via a URL.
OTOH it must be readable by pmwiki.php. Depending on the server
configuration, this may even imply that the file is world readable.
OT3H it should be possible to set up a restricted database user that has
just read access to the user table. If that database user is
compromised, there's no serious security breach if the passwords are
stored in one-way encrypted form.
Feel free to ask for clarifications.
Regards,
Jo
More information about the pmwiki-users
mailing list