hand out the nuts for the idea of “minimum rights in the database”
I sat down to study the python and wanted to implement one idea, but “niasilil”.
Wait, I will describe the idea and I would like to know your opinion, can someone say a better way, someone will help with advice
So, the idea
There is a website that looks like a folder on the disk (a | and) with programming language files such as php, perl, python, and others. In these files, calls to databases and requests to them occur. For example from php to mysql mysql_query ()
I was set to write a python program that, understanding 3 languages of php, perl, python and 2 databases mysql and postgresql, could analyze the files of the website (galleries, ...) and give the answer:
1) to which servers and under which database user there are SQL calls such as SELECT, INSERT, etc. and etc.
2) give a recommendation on restricting a database user to the minimum necessary rights in this database
the purpose of the program: to help the admin to apply the method of the "necessary minimum", which entrusts an unfamiliar website with various engines of various web systems. Increase safety
where to apply: admin to various web engines, scripts
')
In a conversation with friends, some neponyatki surfaced, and anticipating them, I will answer immediately having for example the language php and mysql
figure A) nafig analyze before it is better THEN in the database to see statistics of exports of sql structures?
answer: the main thing it will happen AFTER! and not BEFORE server deployment, how much to test the site before deployment, and still you can not press the "button" with the call "CREATE" and what? do not give the right CREATE?
figure B) nafig all this - give ALL the rights to the table and do not worry!
Answer: Thank you, hackers will tell you for the rights of FILE that you gave when you gave EVERYTHING. then you will be driven through sql injections and will be happy that you can do a read-write to the files. Rights must be issued according to the rule of the "necessary minimum", at least to try
figure C) Why is it so difficult? webmaster chtoli does not describe what he is there in the project, let him give a list of used sql constructions?
answer: there are many engines, not everything in the modern world is written from scratch, but the admin connects them into a single system and is responsible for security.
I didn’t master, because I had to write lexical and parsing of the text, I even remembered to recall narod.ru/disk/15816222000/AhoSetiUlman_Kompilyators-www.masterpc.alfaspace.net.djvu.html , but after “drawing” the grammar I understood that I needed to write almost interpreters of those languages that sat down to analyze, because calls can be arbitrarily complex, but just imagine that calls are taken from a text file and how can my script understand this?
I am a software engineer by training, but fate was such that I am an admin and serious things in terms of programming remained at the door of the institute. Can you advise something? can you push in the right direction? or advise
thank you in advance
Wait, I will describe the idea and I would like to know your opinion, can someone say a better way, someone will help with advice
So, the idea
There is a website that looks like a folder on the disk (a | and) with programming language files such as php, perl, python, and others. In these files, calls to databases and requests to them occur. For example from php to mysql mysql_query ()
I was set to write a python program that, understanding 3 languages of php, perl, python and 2 databases mysql and postgresql, could analyze the files of the website (galleries, ...) and give the answer:
1) to which servers and under which database user there are SQL calls such as SELECT, INSERT, etc. and etc.
2) give a recommendation on restricting a database user to the minimum necessary rights in this database
the purpose of the program: to help the admin to apply the method of the "necessary minimum", which entrusts an unfamiliar website with various engines of various web systems. Increase safety
where to apply: admin to various web engines, scripts
')
In a conversation with friends, some neponyatki surfaced, and anticipating them, I will answer immediately having for example the language php and mysql
figure A) nafig analyze before it is better THEN in the database to see statistics of exports of sql structures?
answer: the main thing it will happen AFTER! and not BEFORE server deployment, how much to test the site before deployment, and still you can not press the "button" with the call "CREATE" and what? do not give the right CREATE?
figure B) nafig all this - give ALL the rights to the table and do not worry!
Answer: Thank you, hackers will tell you for the rights of FILE that you gave when you gave EVERYTHING. then you will be driven through sql injections and will be happy that you can do a read-write to the files. Rights must be issued according to the rule of the "necessary minimum", at least to try
figure C) Why is it so difficult? webmaster chtoli does not describe what he is there in the project, let him give a list of used sql constructions?
answer: there are many engines, not everything in the modern world is written from scratch, but the admin connects them into a single system and is responsible for security.
I didn’t master, because I had to write lexical and parsing of the text, I even remembered to recall narod.ru/disk/15816222000/AhoSetiUlman_Kompilyators-www.masterpc.alfaspace.net.djvu.html , but after “drawing” the grammar I understood that I needed to write almost interpreters of those languages that sat down to analyze, because calls can be arbitrarily complex, but just imagine that calls are taken from a text file and how can my script understand this?
I am a software engineer by training, but fate was such that I am an admin and serious things in terms of programming remained at the door of the institute. Can you advise something? can you push in the right direction? or advise
thank you in advance
Source: https://habr.com/ru/post/78751/
All Articles