Postgres Pro
Downloads
Home   >   mailing lists

Thread: connecting with password

connecting with password

From
Eric McKeown
Date:
Is there any way to set up special password protections for a Postgres
database, so that I can force someone to present a username and password
when connecting from a PHP script?  I've combed the docs for something on
this, and I may just be completely off base on the feasibility.

Comments appreciated...

eric

_______________________
Eric McKeown
ericm@palaver.net
http://www.palaver.net

Re: [SQL] connecting with password

From
Daniele Orlandi
Date:
Eric McKeown wrote:
>
> Is there any way to set up special password protections for a Postgres
> database, so that I can force someone to present a username and password
> when connecting from a PHP script?  I've combed the docs for something on
> this, and I may just be completely off base on the feasibility.
>
> Comments appreciated...

I use this to connect with username/password:

$conn=pg_pconnect("host=localhost dbname=db user=me password=foobar");

Not very documented, found with a bit of luck....

Bye!

--
 Daniele

-------------------------------------------------------------------------------
"On the Internet, no one knows you're using Windows NT"
(Submitted by Ramiro Estrugo, restrugo@fateware.com)
-------------------------------------------------------------------------------
 Se telecom italia aggiungesse uno scatto al giorno ad ogni abbonato, dal
 primo Gennaio avrebbe rubato 803.726.000.000 Lire.
-------------------------------------------------------------------------------
 Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
 Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
-------------------------------------------------------------------------------

Re: [SQL] connecting with password

From
darcy@druid.net (D'Arcy J.M. Cain)
Date:
Thus spake Eric McKeown
> Is there any way to set up special password protections for a Postgres
> database, so that I can force someone to present a username and password
> when connecting from a PHP script?  I've combed the docs for something on
> this, and I may just be completely off base on the feasibility.

What I do is run the page as the database owner (I run a separate Apache
on a different port) and use the Apacher server password protections.
Just remember to check who the remote user is every time you do any
operation where the specific user is important.  If you just need to
make a general restriction on a database for a group then the protection
in the config files (or .htaccess) should be fine.

How you do this in PHP is up to you.  I do it all in Python.

--
D'Arcy J.M. Cain <darcy@{druid|vex}.net>   |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 424 2871     (DoD#0082)    (eNTP)   |  what's for dinner.

Re: [SQL] connecting with password

From
Eric McKeown
Date:
On Thu, 10 Sep 1998, D'Arcy J.M. Cain wrote:

> Date: Thu, 10 Sep 1998 23:11:15 -0400 (EDT)
> From: "D'Arcy J.M. Cain" <darcy@druid.net>
> To: Eric McKeown <ericm@palaver.net>
> Cc: PGsql <pgsql-sql@postgreSQL.org>
> Subject: Re: [SQL] connecting with password
>
> Thus spake Eric McKeown
> > Is there any way to set up special password protections for a Postgres
> > database, so that I can force someone to present a username and password
> > when connecting from a PHP script?  I've combed the docs for something on
> > this, and I may just be completely off base on the feasibility.
>
> What I do is run the page as the database owner (I run a separate Apache
> on a different port) and use the Apacher server password protections.
> Just remember to check who the remote user is every time you do any
> operation where the specific user is important.  If you just need to
> make a general restriction on a database for a group then the protection
> in the config files (or .htaccess) should be fine.

I have no problems restricting access to pages where important db-related
things happen.  I simply protect these pages using HTTP or PHP
authentication, and for now, that suffices to protect those pages that
perform db-sensitive operations from the "Bad Guys".

However, what I'm trying to do is this:  I want to prevent users on my
system from writing PHP scripts on our local system that can connect to
any db and wipe out all the records in that database.  Under the current
scheme, with PHP/Apache connecting to Postgres as nobody and nobody having
permissions on the tables in my database, anybody on the system could
write and install a script that would blow nobody-accessible database out
of the water.

So, on the PHP mailing list, I had seen it was possible to specify a
username and password when connecting to Postgres from Apache/PHP, and I'm
trying to figure out how to give users in my database passwords so that I
can quit giving nobody permissions on my dbs and start using passwords
instead.  Does that make any sense?  If I chown the db-connection files to
the uid of the web server and then make those files readable only by the
web server uid, then that will give me a much higher level of security.

Does that make any sense??  Does anyone know whether it's possible to set
up new users in Postgres databases and give them passwords for protection
purposes??

TIA for all input on this problem...

eric

>
> How you do this in PHP is up to you.  I do it all in Python.
>
> --
> D'Arcy J.M. Cain <darcy@{druid|vex}.net>   |  Democracy is three wolves
> http://www.druid.net/darcy/                |  and a sheep voting on
> +1 416 424 2871     (DoD#0082)    (eNTP)   |  what's for dinner.
>

_______________________
Eric McKeown
ericm@palaver.net
http://www.palaver.net