You don't need to be granting MySQL root privileges to CGI scripts. Within MySQL set up a user who has only the permissions necessary to do what your CGI script needs to do. Then make sure your tables are set up to grant only as much access to that user as necessary. For example, maybe table "logins" grants read/write/lock access to your cgi-user, but not alter table, etc. And maybe table "lotsofdata" only grants read access to your cgi-user account, if the CGI never needs to update that table.
You also make sure that cgi-user's login topological-scope is as narrow as possible. If the database resides on the same machine as the webserver then you can restrict logins for cgi-user to only localhost. If the database resides on a different computer, restrict logins for cgi-user to just that IP. This is within the cgi-user's setup in MySQL. Your CGI script and webserver need to allow visitors from just about everywhere (presumably), but the script's login to the database can be much narrower.
Then, of course, use best practices with respect to placeholders, taint mode, and server configuration such that the client is never able to send bad characters that would inject malicious content/code into your database, or allow them to see your actual code.
Dave
In reply to Re: Mysql-CGI Security Question
by davido
in thread Mysql-CGI Security Question
by serotta1958
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |