Thread: Postgres access using PHP
I am trying to access a Postgres database using PHP from a Web page and it doesn't work. Could anyone shed any light on the problem? This is the error I get - which looks like an authentication problem:- Unable to connect to PostgreSQL server: FATAL 1: SetUserId: user 'root' is not in 'pg_shadow' What have I overlooked in setting up Postgres for Web access? -- John
On Sun, 14 Jan 2001, John Poltorak wrote:
> I am trying to access a Postgres database using PHP from a Web page
> and it doesn't work.
>
> Could anyone shed any light on the problem?
>
> This is the error I get - which looks like an authentication problem:-
>
> Unable to connect to PostgreSQL server: FATAL 1: SetUserId: user 'root' is not in 'pg_shadow'
>
> What have I overlooked in setting up Postgres for Web access?
You should not be using 'root' to connect to the database, in the first
place (which looks odd also -- your webserver should be running as
'nobody', and this should be the default user, not 'root').
You need to create a user (see documentation on CREATE USER) and give them
access to your database (See documentation on GRANT). I would also
recommend giving this user limited access rights -- perhaps just SELECT,
INSERT and UPDATE.
-- Brett
http://www.chapelperilous.net/~bmccoy/
---------------------------------------------------------------------------
There is only one way to console a widow. But remember the risk.
-- Robert Heinlein
Or...
In your connect string, use the username "postgres"..
$connect=pg_connect("dbname=database, user=postres")....
check out http://www.php.net/manual/en/function.pg-connect.php for correct
syntax.
HTH
>On Sun, 14 Jan 2001, John Poltorak wrote:
>
> > I am trying to access a Postgres database using PHP from a Web page
> > and it doesn't work.
> >
> > Could anyone shed any light on the problem?
> >
> > This is the error I get - which looks like an authentication problem:-
> >
> > Unable to connect to PostgreSQL server: FATAL 1: SetUserId: user
> 'root' is not in 'pg_shadow'
> >
> > What have I overlooked in setting up Postgres for Web access?
>
>You should not be using 'root' to connect to the database, in the first
>place (which looks odd also -- your webserver should be running as
>'nobody', and this should be the default user, not 'root').
>
>You need to create a user (see documentation on CREATE USER) and give them
>access to your database (See documentation on GRANT). I would also
>recommend giving this user limited access rights -- perhaps just SELECT,
>INSERT and UPDATE.
>
>-- Brett
> http://www.chapelperilous.net/~bmccoy/
>---------------------------------------------------------------------------
>There is only one way to console a widow. But remember the risk.
> -- Robert Heinlein
------------------------
Chris Smith
http://www.squiz.net
On Sun, Jan 14, 2001 at 10:27:57PM +0000, John Poltorak wrote: > > I am trying to access a Postgres database using PHP from a Web page > and it doesn't work. > > Could anyone shed any light on the problem? > > This is the error I get - which looks like an authentication problem:- > > Unable to connect to PostgreSQL server: FATAL 1: SetUserId: user 'root' is not in 'pg_shadow' > > What have I overlooked in setting up Postgres for Web access? Many thanks to everyone who suggested my Web server was running as 'root' and this was the cause of the problem. I'd just like to point out that I'm running Postgres, PHP4, and Xitami all under OS/2, which is a single-user OS, and the USER variable does not get set automatically. I have set the this variable to POSTGRES before starting Xitami, just to make sure I can get everything going and it works fine now, So, thank you all. -- John
John Poltorak wrote:
> I am trying to access a Postgres database using PHP from a Web page
> and it doesn't work.
> Could anyone shed any light on the problem?
> This is the error I get - which looks like an authentication problem:-
> Unable to connect to PostgreSQL server: FATAL 1: SetUserId: user 'root' is not in 'pg_shadow'
You may be running a webserver as root. This is very bad. Big security
hole. This means that one PHP script can completely destroy your server,
email your passwords to hackers, and make long-distance calls over your
modem. (Really, root can do all this, so your webserver could too) it's
a good idea to have a web-server user such as "www" or "nobody" or "httpd".
> What have I overlooked in setting up Postgres for Web access?
You typically should make a postgres user for web-access only (using the
master postgresql user for web access has similar security holes). It
makes life a bit easier if you use the same pg user as the web server
user.
Otherwise, you'll need to use:
pg_connect("dbname=whatever user=whatever_user password=pass");
for connections. If you're using a PHP reference That still
advocates using:
pg_connect("localhost","whatever","whatever_user","pass");
Please ignore it, it's been deprecated. (Use one string, not 4.)
-Ronabop
--
Personal: ron@opus1.com, 520-326-6109, http://www.opus1.com/ron/
Work: rchmara@pnsinc.com, 520-546-8993, http://www.pnsinc.com/
The opinions expressed in this email are not neccesarrily those of myself,
my employers, or any of the other little voices in my head.
On Sun, 14 Jan 2001 18:29:21 John Poltorak wrote: >Many thanks to everyone who suggested my Web server was running as 'root' >and this was the cause of the problem. > >I'd just like to point out that I'm running Postgres, PHP4, and Xitami >all under OS/2, which is a single-user OS, and the USER variable does >not get set automatically. > >I have set the this variable to POSTGRES before starting Xitami, >just to make sure I can get everything going and it works fine now, The way I do it is create a PostgreSQL user named "nobody" which functions as the default account for web access. I also have other accounts for privileged access. When I connect using a CGI script, the script checks to see if the remote_user() is listed in pg_user table. If so, it access the database using the associated permissions. If not, then it accesses the database using the permissions assigned to the user "nobody", which may mean no permissions. You don't have to use CGI for this to work. You just need a way for the script to authenticate users and use the resulting username when connecting to the database. Tony -- Anthony E. Greene <agreene@pobox.com> <http://www.pobox.com/~agreene/> PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D Chat: AOL/Yahoo: TonyG05 ICQ: 91183266 Linux. The choice of a GNU Generation. <http://www.linux.org/>