[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

SQL/mysql permissions problem

To: "Minivend List" <minivend-users@minivend.com>
Subject: SQL/mysql permissions problem
From: "Colin Mitchell" <colin@5points.net>
Date: Tue, 2 Mar 1999 13:53:14 -0500
Importance: Normal
In-Reply-To: <199903021825.NAA08656@ns.minivend.com>
Reply-To: minivend-users@minivend.com
Sender: owner-minivend-users@minivend.com

******    message to minivend-users from "Colin Mitchell" <colin@5points.net>     ******


Hello All - I've got an issue here, that is either something that I'm having
a problem with, or might be a real issue within the minivend code that might
be worth addressing.

Anyways, I am building a simple backend that provides minivend users with a
web-based listing of orders with all of the relevant information.  The data
is served in our mySQL db.  It will be accessed through SSL and will be
password-protected, etc, etc.  Obviously, this is some fairly private data
that we are storing in our database, so I would like it to be as secure as
possible, especially credit card information.

Now, my problem is this.  I am using minivend's internal SQL support to do
the insert into the database.  Since mySQL has a pretty decent permissions
system, I figured that I would setup a user that can only insert into the
database.  This way, if that password is compromised, I don't care too much.
And since it's stored in cleartext in the minivend config file, I could see
it being compromised.  Anyways, I had no luck setting up an insert-only
user, because it looks like minivend tries to do a SELECT to make sure that
it can hit the database.  When I setup mySQL to allow the user to do the
select, everything works fine, but it isn't secure anymore.  I'd really
rather not have it work this way if at all possible.

So, I'm wondering -- has anyone experienced a similar problem?  Is there a
workaround for this, or is it a fundamental issue within the minivend code.
Also, I've already tried working on this using embedded Perl, and it was a
real pain.  Nevermind all of the odd Perl functions I ended up writing in
different files, after all of that it still didn't work.  For some reason,
it wouldn't store email addresses in the db.  Originally I thought it had
something to with the @ in an email address, but I think it might be more
than that.  I posted about it a week or two ago and none of the answers I
got worked for me.

I think it would be really cool if there were some simple functions that
allowed minivend to store a transaction in a database.  I'm sure some of you
are doing this right now, I'd love to hear how.

Any help would be much appreciated.  Thanks - Colin



[] "I promise I shall never give up, and that I'll die yelling and   []
[] laughing.  And that until then I'll rush around this world I      []
[] insist is holy and pull at everyone's lapel and make them confess []
[] to me and to all." - Jack Kerouac                                 []
[]       ::      http://www.digitalfootprint.com/colin      ::       []

-
To unsubscribe from the list, DO NOT REPLY to this message.  Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list

Prev by Date: Re: Encrypting entire order file
Next by Date: Re: Error: &final=no, but mv_successpage is set
Prev by thread: Re: Error: &final=no, but mv_successpage is set - Correction
Next by thread: Page continue to load forever!
Index(es):
- Date
- Thread