I'm not a fan of hosting providers that provide the customer with ensim or cpanel type control panels. In fact, being someone that was born on the command line I find it somewhat intimidating. If you run your own machine you need to understand a few things about limiting access to your database server and protecting those assets.In this article I'll explore some of the problems with setting up an MD-Pro site with MySQL and some of the things that you need to pay close attention to in oder to avoid getting whacked by malicious script kiddies. Even those who have no shell access to their servers stand to benefit by understanding WHY, securing your database server is Soooo important.....

For those of you who have opted to go with a hosting provider that restricts shell access to their customer's accounts, your MySQL databases are probably relatively secure right out of the gate. These hosting services provide the users with something like Ensim or cPanel to administer the customer website, and database creation is a no brainer. You put in the name of the database you want to create, and the control panel automagically prepends your username to the name you selected for the database.
For example, if you say you want your database to be called "cms", and your username is "joeuser", the bubble that your control panel keeps you in will create a database with a name something like, "joeuser_cms". That might not make a lot of sense to you, until you try to enter simply "cms" as the database name when installing MD-Pro, but it highlights a security point that many people setting up their own unmanaged or colocated servers often miss - the possibility of SQL injection exploits.Recently, and occasionally, you may have seen security patches for some CMS systems that are related to SQL injections.
Simply put, this type of nasty little exploit is the result of when a visitor to your site litterally "injects" an SQL statement into your website's database through their browser, by inserting the statement as part of the URL in the address bar.Such exploits can be used to farm uid/pwd information from your user base, create new tables, or change/destroy data, tables, or even completely drop (delete) the database which powers your website.
Depending on the sensitivity of the information you keep, or the "Mission Critical" nature of your Portal, the trauma of getting whacked in this way could range from that of feeling violated to the extreme of completely losing your business and going bankrupt.
Yes, people do this for fun mostly, in the middle of the night while popping pimples and getting high on Hostess Twinkies and Diet Dew or Code Red.
Sure, there are instances where industrial sabateurs may have been hired to whack you, but if some competitor of yours is so interested in paying a blackhat to  compromise you in such a way it's probably because you didn't sell your company to Microsoft when you should have.
Page: 1/4

Next page (2/4)