[thelist] Apache on Win32

[David Altherr]

Beau,
    While you can manipulate the privs tables manually, the prefered method
(assuming MySQL version > 3.22.11) is to let MySQL handle the tables with
the GRANT and REVOKE syntax.  In order to disallow the default root user as
well as any other user validated against any host ('%') or validated against
a host other than 'localhost' you would use the REVOKE syntax as follows:

REVOKE all ON *.* FROM 'user_name'@'host_name';
REVOKE GRANT OPTION ON *.* FROM 'user_name'@'host_name';

The second statement is somewhat redundant given that a MySQL user can only
grant his/her current privileges but for consistency, it will set the 'Y'
value under the user.Grant_priv column to 'N'.  Note that the 'host_name'
must be explicitly specified, for the '%' wildcard is treated simply as a
literal string in the table, e.g. if you have 'user_name' validated aginst
'%' and 'foohost' and then run the REVOKE against 'user_name'@'%' then the
statement will only modify the privileges for the '%' entry and not the
'foohost' entry.  Remember that while the tables have been updated,
privilege changes do not take effect until the mysqld is restarted or you
run the 'FLUSH PRIVILEGES;' statement.

Note that disallowing access to any other host than 'localhost' in MySQL
will only prevent others from accessing the database via the command line
monitor or a script running on another machine.  When accessing MySQL from a
PHP installation on the same machine, PHP will login to MySQL under
'localhost' and not the host of the user accessing the PHP script through
the Apache server; to deny access through this route, modifying the Apache
configuration files is the best method as described in the previous reply.

You can also authenticate against the user's IP address in PHP with the
$REMOTE_ADDR variable, or $HTTP_SERVER_VARS["REMOTE_ADDR"] if you have
global vars turned off.

For more information on user privilege manipulation in MySQL:
http://www.mysql.com/doc/G/R/GRANT.html

-David Altherr


> Thank you Michael. I've made this change to Apache's httpd.conf file.
>
> Is there a similar entry for mysql? After reading the manual, I've entered
> this line in the mysql.ini file:
>
> bind-address=127.0.0.1
>
> I'm hoping that this will help keep unwanted visitors out. The other thing
I
> did in mysql was to edit the entries in the User table to deny access to
> anything from anyone except root on localhost. I didn't know if it was any
> better to completely delete each instance, or just replace the "Y"s with
> "N"s. Is there a preferred way to do this?
>
> BTW, I never realized how convenient it is to have a local development
> server. I was used to the save, upload, reload routine... Now in HTML-kit
> (after I mapped my htdocs directory to http://localhost/) all I have to do
> is press f12!
>
> Thanks again,
>
> Beau
>
> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Michael Pemberton
>
>
> In the httpd.conf file, you will find the following lines in the
<directory
> "YOURWEBDIR"> section:
>
>     Order allow,deny
>     Allow from all
>
> By changing them to read:
>
>     Order deny,allow
>     Allow from 127.0.0.1
>
> If you have another network IP (intranet), itis possible that your browser
> will identify itself by this.  Also add
>
>     Allow from XXX.XXX.XXX.XXX (your network IP)
>
> you should now have a server that can only be accessed using "localhost".