php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #81023 Limit usable usernames or databases for MySQLi
Submitted: 2021-05-09 16:20 UTC Modified: 2021-05-31 15:01 UTC
From: nene at wo dot cz Assigned:
Status: Not a bug Package: MySQLi related
PHP Version: Next Major Version OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2021-05-09 16:20 UTC] nene at wo dot cz 
Description:
------------
Hello,

utilizing one LAMP server for multiple webs and/or domains is quite common now. It would be great to limit the usernames which can be used to connect to MySQL database from PHP per Apache virtual and/or PHP-fpm.
For example - there is one shared MySQL server for all webs. In the configuration of each web can be list of acceptable usernames to access the database. For example as php_admin_value='user1' in apache virtual. In a case that this virtual invoke in PHP mysqli_connect with different username than 'user1', this will be prohibited.
This can improve the security of shared web server services, because one web cannot make brute force password attack to databases of other webs.

BR,

Zdenek

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-09 16:33 UTC] nene at wo dot cz
-Summary: Limit usable usernames for MySQLi +Summary: Limit usable usernames or databases for MySQLi
 [2021-05-09 16:33 UTC] nene at wo dot cz 
Or the limitation can be based on usable databases, not usernames. Both is big improvement for security.

Zdenek
 [2021-05-31 15:01 UTC] bwoebi@php.net
-Status: Open +Status: Not a bug
 [2021-05-31 15:01 UTC] bwoebi@php.net 
PHP shall be assumed to be as powerful as any script executed as the user PHP runs under.

It is trivially possible to write custom mysql drivers (with bare tcp sockets - there are libraries written in PHP for that), which would make this an ineffective bandaid. As such we are not going to support this.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 23:01:29 2024 UTC