If I do shell_exec('mysqldump DATABASE_NAME') from a php script, is there any danger?
Is there a way to get this to work in Windows?
I am going to use mysqldump for database backup from a web page
Also should I do set_time_limit(0) when running this?
Yeah, there is danger: If database name comes from an untrusted source hackers could try to inject shell commands in the database name. For example:
$dbname = 'test; cat /etc/shadow';
might being used to obtain user names and encrypted passwords from the system (depends on the system)..
To avoid that, you should use escapeshellarg() to quote the database name (and possible other arguments):
shell_exec('mysqldump ' . escapeshellarg($database_name));
set_time_limit() isn't required if you are following my hints here
Needless to say, that you'll have to secure the page using login.
Related
I want to call php using vba or vbs. The php file is stored on a server.
I am able to do it if the php file is stored locally:
Sub asasdsad
Call Shell("C:\xampp\php\php.exe C:\path\file.php", 1)
End Sub
This calls the php which executes a code for me. My problem is, the .php file I want to call is stored on a server, for which I've got username and password of course. Copying file to local directory is not an option as it's got a lot of includes.
My idea is to use PuTTY to connect to the server, and use it to execute above command, all from cmd using vba/vbs.
UserName = "un"
Passwrd = "pw"
'this would need additional parameters at the end to call php.exe like above
Call Shell("""C:\Program Files (x86)\PuTTY\putty.exe"" " & "-ssh " & UserName & "#ip address -pw " & Passwrd, 1)
As you can imagine there will be a lot of parameters so it just get complicated, not ever sure if this would work. I've never used PuTTY and all of this is quite new to me. I'm sure there's a better way?
First, do not use PuTTY, use Plink (PuTTY connection tool). It's a console application designed for automation (contrary to PuTTY, what is GUI application, designed for an interactive use).
Plink (again contrary to PuTTY) can accept a command to be executed on its command-line (it has a similar command-line syntax as OpenSSH ssh):
"C:\...\plink.exe" -ssh username#ip_address -pw password /path/to/php /path/to/script.php
I'm tryng to find a solution for upload data on a remote mysql database using a python daemon.
My base script use a simple query "INSERT INTO...." but in top of the script there are in clear the credentials to connect on database:
conn = MySQLdb.connect(host="192.168.1.123", user="root", passwd="Pa$$w0rd", db="mydb")
I do not want anyone reading the python script can access the database directly.
I need to use python scripts on clients
The server with mysql db is on cloud
The clients are Raspberry pi
In the server I can use php
Several ways
1. Use mysql.cnf file
Mysql cnf files is a config file storing MySQL credentials, if this server or client executing the script has one, you can use it like:
db=_mysql.connect(host="outhouse",db="thangs",read_default_file="~/.my.cnf")
Credentials are not in your Python script anymore, but they are clear in cnf file anyway and you must have this file in the same place everywhere you want to use your script.
source: http://mysql-python.sourceforge.net/MySQLdb.html
2. Command line argument
You can parse command line arguments to get credentials from it like:
import sys
user = sys.argv[1]
password = sys.argv[2]
conn = MySQLdb.connect(host="192.168.1.123", user=user, passwd=password, db="mydb")
And so execute your script with:
python myscript "root" "pa$$w0rd"
With this method credentials can't be found in any config file, but you have to execute it with arguments, if it's a deamon it can be ok, but if you want to use it as cron (by example), you will have to write credentials in crontab, so not so safe.
3. Environment variables
Another way is to use environment variables
import os
conn = MySQLdb.connect(host="192.168.1.123", user=os.environ['MYSQL_USER'], passwd=os.environ['MYSQL_PASSWORD'], db="mydb")
But you will have to set these variables somewhere. In ~/.bash_profile, /etc/profile or by command line. So if somebody access to user that can execute script, he can read password.
4. Encoding
Encoding seems to be a good way to hide password, but in fact you can not really hide from someone who can access to the right user in the right server.
Encoded string without salt is easy to decode, some encoding methods are easy to spot and can be decoded by anyone.
Using a salt will make work more harder, but if somebody can access to you code, it will be easy to locate salt phrase (no matter if salt is stored in environment var, in a file or directly in code).
Using .pyc files can be an idea too, but first, it's not recommended and anybody can read content by creating a python script importing this pyc file and print what stored in.
Encoding credentials still is still a good thing, but encoded string can always be decoded, if your code can, somebody with access to it can too. A simple print password added in your code and regardless of the used method the password will be accessible.
So you have to secure your python code, but Unix users & groups too and mysql config too.
Hoping you experienced folks can clear up my frustrations! I've searched & researched and found multiple sources discussing similar issues to what I'm trying to troubleshoot, but none seem to help the situation. Without giving an entire historical listing of what I've tried, here's where things currently stand:
I have a simple Debian server set up with a MySql database. All relevant firewall ports have been opened and specific GRANT PRIVILEGES have been applied for 'username'#'mylocalglobalip' (username not being root).
On my local Apache instance (I'm currently running it on OS X), I have the latest PHP installed and working. I've confirmed this by going to localhost/website/phpinfo.php - PHP itself is working fine.
I've gone through all the tutorials on setting up a simple MySql connection using mysqli. Here's my simple code (with the credentials deleted):
$connection = mysqli_connect($mylocalglobalip,$username,$password,$dbname);
No matter what I've tried, I keep getting the friendly
"mysqli_connect(): (HY000/1045): Access denied for user
'username'#'mylocalglobalip' (using password: YES)" warning.
If I SSH into the remote server, I can get into the MySql console from both my non-root and root logins. However, I can only login if I use...
mysql -u username -p
... and supply my password when prompted. However, if I enter...
mysql -u username -pPassword
... no luck. I again get Access Denied.
Finally, to make sure everything is open on my firewalls and that my server and MySql are accessible remotely, I installed a local instance of MySqlWorkbench. I put in the same credentials and I can login to the remote server without a problem.
Why would I be able to login through the Workbench, but not through my local PHP script? Is there an obvious parameter I need to enable in a local and/or remote config file? From the php and mysql config files I've glanced at, I can't see anything that would be blocking the PHP connection.
I'll be happy to provide config and code snippets upon request!
Thanks for reading!
Thanks to the comments and responses, the solution presented itself. Michael (sqlbot) mentioned using -p'your-password' in single quotes to encapsulate any special characters in the password. Then it dawned on me (being a PHP noob), to check my $password variable in the PHP code. Sure enough I had something to the effect of:
$password = "some random pa$$word goes here";
Whoops. The $ character within double-quotes in PHP signifies a variable insertion within a string. This was most likely being interpreted as:
"some random pa goes here" // Since $ is empty and $word isn't a declared variable!
Putting the password with a $ special character in between single quotes solved the simple PHP syntax problem.
Thanks for stopping me from going down the path of server reconfiguration and encouraging me to search my PHP code more closely!
It's a bug hunt, and it sounds like credentials are wrong in at least some cases.
Check the mysql logs and verify it is showing the same user when you log in successfully from the command-line and when you do it from PHP or when you fail from the command line. You may sometimes be showing up as 'username' or 'username'#'localhost' or 'username'#'fqdn' and be being treated differently based on that.
Check carefully letter-by-letter to be sure you are not typing the credentials differently in two different places. Verify credentials are being imported into your php file correctly.
How do we determine which user the php script is running under when I run the script on server? Is it running under the same user as apache or phpmyadmin by chance? My question maybe wrongly framed but I want to know which user so that I set appropriate permission for different folders in /var
Execute whoami:
<?php echo exec('whoami'); ?>
If you have posix functions available (enabled by default in most Linux-based environments) then you can use posix_geteuid and posix_getpwuid to get the name of the user (at least in non-Windows environments) like so:
$pwu_data = posix_getpwuid(posix_geteuid());
$username = $pwu_data['name'];
Another (more expensive) way to do it would be to use a shell-executing function like exec to run whoami:
$username = exec('whoami');
or even the backticks (although you may need to trim the linebreak off):
$username = `whoami`;
I personally have only ever needed to get the username of the user running the script for PHP scripts that run in the shell (on the command-line). Typically, scripts that run in the process of building the response to a request that the web server is handling will be run as the web server user, such as www-data, apache, etc. In Apache, the user that runs the apache/httpd processes is set with the User directive.
Important note: get_current_user does NOT give you the username of the user running the script, but instead gives you the OWNER of the script. Some of the answers here (appropriately down-voted) are suggesting to use get_current_user, but that will not give you the username of the user running the current script.
Do not use "whoami". When you execute a process the user will not necessarily be the same as the effective user during running of a script. But in any case "id" would provide much more useful information. Instead call get_current_user(). So simple!
Use this:
echo get_current_user();
Make sure to read the comments because it looks like this answer doesn't actually do what you want.
Use this:
$_SERVER['REMOTE_USER'];
this variable may or may not be set.
I'm moving a site that had access to phpmyadmin to one where I don't (not yet anyway). Is there a php script to import the generated .sql file into a database? The db is created and ready, just need to import the tables and records.
Try this.
Upload your SQL file to the web space via FTP and execute a page with this code in it.
<?php
$file="path/to/file.sql";
$command = "mysql -u $dbuser --password='$dbpassword' --host='$sqlhost' $dbname < $file";
exec($command);
?>
Don't forget to set the variables for database name, username, and password. Also, make sure PHP has access to execute commands using the exec function.
Why use php, why not use MySQL itself:
http://dev.mysql.com/doc/refman/5.5/en/mysql.html
Use SSH. Install PuTTy first. Ask your host the server IP, username and password for SSH server, and then do the work. Anyway, how do you think you are going to properly manage your tables and databases without phpmyadmin or any other alternative SQL client, eh? Ask your hosts to install them. Btw, looks like your host's at Antarctica or some other ancient place. I mean, come on man, a SQL client like phpMyAdmin is offered even in free subhosting.