Thread

  1. connecting with password

    Eric J McKeown <ericm@palaver.net> — 1998-09-11T02:18:40Z

    Is there any way to set up special password protections for a Postgres
    database, so that I can force someone to present a username and password
    when connecting from a PHP script?  I've combed the docs for something on
    this, and I may just be completely off base on the feasibility.
    
    Comments appreciated...
    
    eric
    
    _______________________
    Eric McKeown
    ericm@palaver.net
    http://www.palaver.net
    
    
    
  2. Re: [SQL] connecting with password

    Daniele Orlandi <daniele@orlandi.com> — 1998-09-11T02:31:10Z

    Eric McKeown wrote:
    > 
    > Is there any way to set up special password protections for a Postgres
    > database, so that I can force someone to present a username and password
    > when connecting from a PHP script?  I've combed the docs for something on
    > this, and I may just be completely off base on the feasibility.
    > 
    > Comments appreciated...
    
    I use this to connect with username/password:
    
    $conn=pg_pconnect("host=localhost dbname=db user=me password=foobar");
    
    Not very documented, found with a bit of luck....
    
    Bye!
    
    -- 
     Daniele
    
    -------------------------------------------------------------------------------
    "On the Internet, no one knows you're using Windows NT"
    (Submitted by Ramiro Estrugo, restrugo@fateware.com)
    -------------------------------------------------------------------------------
     Se telecom italia aggiungesse uno scatto al giorno ad ogni abbonato, dal
     primo Gennaio avrebbe rubato 803.726.000.000 Lire.
    -------------------------------------------------------------------------------
     Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
     Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
    -------------------------------------------------------------------------------
    
    
  3. Re: [SQL] connecting with password

    D'Arcy J.M. Cain <darcy@druid.net> — 1998-09-11T03:11:15Z

    Thus spake Eric McKeown
    > Is there any way to set up special password protections for a Postgres
    > database, so that I can force someone to present a username and password
    > when connecting from a PHP script?  I've combed the docs for something on
    > this, and I may just be completely off base on the feasibility.
    
    What I do is run the page as the database owner (I run a separate Apache
    on a different port) and use the Apacher server password protections.
    Just remember to check who the remote user is every time you do any
    operation where the specific user is important.  If you just need to
    make a general restriction on a database for a group then the protection
    in the config files (or .htaccess) should be fine.
    
    How you do this in PHP is up to you.  I do it all in Python.
    
    -- 
    D'Arcy J.M. Cain <darcy@{druid|vex}.net>   |  Democracy is three wolves
    http://www.druid.net/darcy/                |  and a sheep voting on
    +1 416 424 2871     (DoD#0082)    (eNTP)   |  what's for dinner.
    
    
  4. Re: [SQL] connecting with password

    Eric J McKeown <ericm@palaver.net> — 1998-09-11T18:12:05Z

    On Thu, 10 Sep 1998, D'Arcy J.M. Cain wrote:
    
    > Date: Thu, 10 Sep 1998 23:11:15 -0400 (EDT)
    > From: "D'Arcy J.M. Cain" <darcy@druid.net>
    > To: Eric McKeown <ericm@palaver.net>
    > Cc: PGsql <pgsql-sql@postgreSQL.org>
    > Subject: Re: [SQL] connecting with password
    > 
    > Thus spake Eric McKeown
    > > Is there any way to set up special password protections for a Postgres
    > > database, so that I can force someone to present a username and password
    > > when connecting from a PHP script?  I've combed the docs for something on
    > > this, and I may just be completely off base on the feasibility.
    > 
    > What I do is run the page as the database owner (I run a separate Apache
    > on a different port) and use the Apacher server password protections.
    > Just remember to check who the remote user is every time you do any
    > operation where the specific user is important.  If you just need to
    > make a general restriction on a database for a group then the protection
    > in the config files (or .htaccess) should be fine.
    
    I have no problems restricting access to pages where important db-related
    things happen.  I simply protect these pages using HTTP or PHP
    authentication, and for now, that suffices to protect those pages that
    perform db-sensitive operations from the "Bad Guys".
    
    However, what I'm trying to do is this:  I want to prevent users on my
    system from writing PHP scripts on our local system that can connect to
    any db and wipe out all the records in that database.  Under the current
    scheme, with PHP/Apache connecting to Postgres as nobody and nobody having
    permissions on the tables in my database, anybody on the system could
    write and install a script that would blow nobody-accessible database out
    of the water.
    
    So, on the PHP mailing list, I had seen it was possible to specify a
    username and password when connecting to Postgres from Apache/PHP, and I'm
    trying to figure out how to give users in my database passwords so that I
    can quit giving nobody permissions on my dbs and start using passwords
    instead.  Does that make any sense?  If I chown the db-connection files to
    the uid of the web server and then make those files readable only by the
    web server uid, then that will give me a much higher level of security.
    
    Does that make any sense??  Does anyone know whether it's possible to set
    up new users in Postgres databases and give them passwords for protection
    purposes??
    
    TIA for all input on this problem...
    
    eric
    
    > 
    > How you do this in PHP is up to you.  I do it all in Python.
    > 
    > -- 
    > D'Arcy J.M. Cain <darcy@{druid|vex}.net>   |  Democracy is three wolves
    > http://www.druid.net/darcy/                |  and a sheep voting on
    > +1 416 424 2871     (DoD#0082)    (eNTP)   |  what's for dinner.
    > 
    
    _______________________
    Eric McKeown
    ericm@palaver.net
    http://www.palaver.net