TBNL » mysql http://www.tibobeijen.nl ...another view on the web and how it's built Wed, 06 Jul 2011 19:28:47 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Fixing mysqldump on Zend Server CE on OS X http://www.tibobeijen.nl/blog/2011/03/01/fixing-mysqldump-on-zend-server-ce-on-os-x/ http://www.tibobeijen.nl/blog/2011/03/01/fixing-mysqldump-on-zend-server-ce-on-os-x/#comments Tue, 01 Mar 2011 07:37:56 +0000 Tibo Beijen http://www.tibobeijen.nl/?p=652 A while ago I installed Zend Server Community Edition on OS X which was pretty straightforward. It was only recently that I found out that, as opposed to mysql which worked fine, mysqldump didn’t work correctly and terminated with the error:

mysqldump: Got error: 2002: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) when trying to connect

Inspecting the mysql configuration contained in /usr/local/zend/mysql/data/my.cnf confirmed that the section [client] showed the socket as returned by executing SHOW VARIABLES; from the mysql client: /usr/local/zend/mysql/tmp/mysql.sock

Although it is possible to specify the socket by using mysqldump’s --socket switch, that doesn’t really seem a ‘solution’.

Apparently mysqldump, as opposed to the mysql client does not use the server-specific settings contained in /usr/local/zend/mysql/data/my.cnf. The comments in my.cnf state:

# You can copy this file to
# /etc/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is /usr/local/zend/mysql/data) or
# ~/.my.cnf to set user-specific options.

After copying /usr/local/zend/mysql/data/my.cnf to /etc/my.cnf mysqldump worked as expected.

In /etc/my.cnf I have included only the setting needed to get mysqldump running:

# Specifying socket to use for mysql/mysqldump
# For other settings refer to /usr/local/zend/mysql/data/my.cnf
[client]
socket      = /usr/local/zend/mysql/tmp/mysql.sock

Hope this saves anyone running into the same issue some time.

Update (alternative solutions):
As Joel Clermont pointed out it is also possible to create a symlink on the socket location expected by mysqldump to the real socket location. This can be done by executing:

ln -s /usr/local/zend/mysql/tmp/mysql.sock /tmp/mysql.sock

Another possible approach is to create a symlink at /etc/my.cnf to /usr/local/zend/mysql/data/my.cnf. This has the downside that it requires loosening the default permissions (drwxr-x---) on the data folder by allowing ‘others’ to enter it. Commands to execute:

sudo chmod o+x /usr/local/zend/mysql/data
sudo ln -s /usr/local/zend/mysql/data/my.cnf my.cnf

Granting more permissions can be a security consideration but on most development setups this probably won’t be an issue.

Additional info about Zend Server CE on OS X:

]]> http://www.tibobeijen.nl/blog/2011/03/01/fixing-mysqldump-on-zend-server-ce-on-os-x/feed/ 4 SQL injection & the Kaspersky hack http://www.tibobeijen.nl/blog/2009/02/11/sql_injection-and-the-kaspersky-hack/ http://www.tibobeijen.nl/blog/2009/02/11/sql_injection-and-the-kaspersky-hack/#comments Wed, 11 Feb 2009 18:38:50 +0000 Tibo Beijen http://www.tibobeijen.nl/?p=137 Last week I read an article on webwereld titled ‘2008 was year of the SQL injection attack‘. It was based on an article with the same title on networkworld.com. Apparently SQL injection has taken over the lead from XSS. Not surprisingly the first user-comment stated that almost 100% of the exploits were certainly in PHP applications written by would-be programmers. With things so obvious it’s of course unneccessary to provide factual data backing up such a statement. So, nothing to win in that discussion. Three days ago news came that a customer database of Kaspersky was hacked. By using SQL injection. On a PHP website. Could commenter X be right?

It is true that PHP allows novice as well as experienced programmers to achieve ‘what they want’. And the novice might adopt some very bad practices. But does that make PHP an insecure programming language? Compare it to driving a car. Yes, you can drive around like a maniac and wreak havoc on the unaware. But does that make a car an unsecure vehicle? The PHP platform offers enough techniques to rule out SQL injection attacks:

  • Prepared statements. There’s no need to concat potentially harmful data in SQL statements. Provide them as a parameter when executung a prepared statement. More efficient too.
  • ORM. If you think SQL should be behind an abstraction layer, you can do so. Propel and Doctrine are the best known solutions for PHP.
  • Well structured programming. If, for some reason, you want to build queries the old way you can force upon yourself (or your team) some good practices. See example below.
$dataTainted['un'] = $_POST['un'];
$dataTainted['pw'] = $_POST['pw'];
 
// escape all array values using a custom function of some sort
$dataSafe = mysqlEscapeValues($dataTainted);
 
$query = <<<SQL
SELECT
  *
FROM
  users
WHERE
  un = "{$dataSafe['un']}"
AND
  pw = SHA1("{$dataSafe['pw']}")
SQL;

And that’s just the coding part of the story. In the area of application design a lot can be done to minimize the consequences of an exploit. For example, different database users can be set up that have different levels of access. Only parts of a website needing customer data then use the credentials that do provide such access.

So, for PHP there are good practices and solutions aplenty. For more information on SQL injection one can start at OWASP or Wikipedia. And finally, the subject isn’t non-existent in .NET and JSP.

]]> http://www.tibobeijen.nl/blog/2009/02/11/sql_injection-and-the-kaspersky-hack/feed/ 0