php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81023 Limit usable usernames or databases for MySQLi
Submitted: 2021-05-09 16:20 UTC Modified: 2021-05-31 15:01 UTC
From: nene at wo dot cz Assigned:
Status: Not a bug Package: MySQLi related
PHP Version: Next Major Version OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nene at wo dot cz
New email:
PHP Version: OS:

 

 [2021-05-09 16:20 UTC] nene at wo dot cz
Description:
------------
Hello,

utilizing one LAMP server for multiple webs and/or domains is quite common now. It would be great to limit the usernames which can be used to connect to MySQL database from PHP per Apache virtual and/or PHP-fpm.
For example - there is one shared MySQL server for all webs. In the configuration of each web can be list of acceptable usernames to access the database. For example as php_admin_value='user1' in apache virtual. In a case that this virtual invoke in PHP mysqli_connect with different username than 'user1', this will be prohibited.
This can improve the security of shared web server services, because one web cannot make brute force password attack to databases of other webs.

BR,

Zdenek


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-09 16:33 UTC] nene at wo dot cz
-Summary: Limit usable usernames for MySQLi +Summary: Limit usable usernames or databases for MySQLi
 [2021-05-09 16:33 UTC] nene at wo dot cz
Or the limitation can be based on usable databases, not usernames. Both is big improvement for security.

Zdenek
 [2021-05-31 15:01 UTC] bwoebi@php.net
-Status: Open +Status: Not a bug
 [2021-05-31 15:01 UTC] bwoebi@php.net
PHP shall be assumed to be as powerful as any script executed as the user PHP runs under.

It is trivially possible to write custom mysql drivers (with bare tcp sockets - there are libraries written in PHP for that), which would make this an ineffective bandaid. As such we are not going to support this.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Oct 19 21:03:42 2021 UTC