[pmwiki-users] mySQL for PmWiki Security . . .

Joachim Durchholz jo at durchholz.org
Sun Jul 17 12:21:20 CDT 2005


Patrick R. Michaud wrote:
> On Thu, Jul 14, 2005 at 08:08:38AM -0500, Ben Wilson wrote:
> 
>>I'm sure this has come up before, but I've not seen any recipe to help with
>>this. I am looking for a way to tie in PmWiki security with a mySQL database.
>>Essentially, we have a forum on our site, and we're wanting to tie a few fields
>>out of the users table (specifically uname/passwd) so we can use the forum as
>>the user-access control.
> 
> Sure, it wouldn't be difficult at all -- the tricky part is simply
> providing the configuration information for the database/table/field
> names.

The typical setup would look like this:

local/dbauthconfig.php:
   <php if (! defined ('PmWiki') exit;
   $dbauth_host = 'localhost';
   $dbauth_db = 'user_info';
   $dbauth_user = 'useradmin';
   $dbauth_password = ' 3z3v3w49dv';
   $dbauth_table = 'authentications';
   $dbauth_userfield = 'user';
   $dbauth_pwfield = 'password';

Since dbauthconfig contains the DB password in cleartext, this file 
should have as restrictive read permissions as possible and must not be 
accessible via a URL.

OTOH it must be readable by pmwiki.php. Depending on the server 
configuration, this may even imply that the file is world readable.

OT3H it should be possible to set up a restricted database user that has 
just read access to the user table. If that database user is 
compromised, there's no serious security breach if the passwords are 
stored in one-way encrypted form.

Feel free to ask for clarifications.

Regards,
Jo




More information about the pmwiki-users mailing list