I have been tasked with creating a simple HTML webpage to allow sysadmins to grant database permissions in a mysql instance (v 5.6.34).
Where I am stuck is that our security team wants the sysadmins to be able to enter a number of days, after which time the privs would be revoked -- I cannot seem to figure out a way to do this natively, from within the database (i.e. an expiration date of sorts), and have it happen automatically on said date. Is there a way to do this?
I do plan to script the events in Python, but I am pretty new there as well so if I am missing something simple please let me know.
Related
I have a small Python project site where a visitor can practice writing SQL code. This code actually runs and returns values. I know that I need to prevent SQL injection, but I'm not sure the best approach since the purpose of the site is that users should be able to write and execute arbitrary SQL code against a real database.
What should I look to do to prevent malicious behavior? I want to prevent statements such as DROP xyz;, but users should still be able to execute code. I think maybe the ideal solution is that users can only "read" from the database, ie. they can only run SELECT statements (or variations). But I'm not sure if "read only" captures all edge cases of malicious behavior.
Need to prevent malicious SQL querying, but also need to allow users to execute code
Using SQLite now but will probably move to postgres
I'm strictly using SQL at this point but may want to add Python and other languages in the future
The site is built with Python (Flask)
Any ideas or suggestions would be helpful
There is no way to prevent SQL injection for a site that takes SQL statements as user input and runs them verbatim. The purpose of the site is SQL injection. The only way you can prevent SQL injection is to not develop this site.
If you do develop the site, how can you prevent malicious SQL? Answer: don't let malicious users have access to this site. Only allow trusted users to use it.
Okay, I assume you do want to develop the site and you do want to allow all users, without doing a lot of work to screen them.
Then it becomes a task of limiting the potential damage they can do. Restrict their privileges carefully, so they only have access to create objects and run queries in a specific schema.
Or better yet, launch a Docker container for each individual to have their own private database instance, and restrict the CPU and memory the container can use.
We have a requirement where we want to show zendesk tickets updated with the data from PostgreSQL database , We are using Python as the scripting language and planning to use this API "http://docs.facetoe.com.au/zenpy.html" for this.
The idea is to help the service team to gather and see all the information in the Zendesk itself.There are additional data in the database which we want to show it in the tickets either as comments or a table structure with the details from other tickets which is raised by this user(We are taking the email address of the user for this).
There is no application at our DWH, So mostly google reference shows the integration between zendesk and some other applications and not much references about updating the tickets from the database via Python or other scripting languages.
So is it possible to pass the data from our DWH to be appeared in the zendesk tickets?
Can anyone helps/suggest me on how to achieve/start on this.
It is possible to update tickets from anywhere using python and some codding.
Your problem can be solved in different ways.
The first one, a little simpler:
You make a simple python app and launch it with cron. App architecture will be like this:
Main process periodically track new tickets in Zendesk using search request. If relevant to database ticket is found (you need some metrics to understand is it relevant ticket) you main process makes a post via ticket.update with information from database. And make a special tag on ticket, to understand that it was already updated.
This is easy to write, but if you database data will be updated it will not be updated in ticket.
The second option is to make private app on zendesk side with backend on you side.
So in this case when your staff member opens some ticket app will request backend to display current data from database, relevant to this ticket. In this case you will see actual information everytime, but will get some database requests on every ticket open case.
To make first script you will need:
zenpy, sqlalchemy and 1-2 days codding.
To make second option you will need:
zenpy, sqlalchemy, flask, front-end interface.
I'm basically making a Skype alternative in Python.
I'm making the login/register system,but I ran into some problems.
So I need to be able to connect to a mySQL database, but when viewing the code of the .py file, the person viewing the code can not be able to see the mySQL login information.
Because then they could just login to the database themselves, and mess everything up.
Anybody have any clue on how to do this?
EDIT
It's basically impossible to do what I want, so I'm just gonna make it so that you have to register through a website, and have logging in have read-only privileges to the database. SHA-256 should be pretty difficult for someone to crack, so I'll just encrypt everyones usernames and passwords.
Lock down access to the mySQL user ID used by the program so it can do only what it needs and nothing more. Perhaps interact via stored procedures only, and without permission to do anything directly (e.g. DROP tables, SELECT, INSERT, DELETE, etc.)
You can encrypt the password, but if someone has the program code, if the user ID isn't locked down they can still get into the database without knowing the password, just by changing what the Python program queries.
I've heard that MongoDB is very good Database, especially for placing large data inside, However i'm not sure how safe can it really be.
I'm not experienced at MongoDB, but before i choose, i want to know how safe it can be for important data.
So for example, if i specified uri, i would type this:
uri = "mongodb://test1:test1#ds051990.mongolab.com:51990/base1"
I'm trying to make a P2P text chat, It can be accessed on user's PC with root permissions, Whenever user registers, User's Latest IP, Username and will be added to database, as code was shown below.
But the "Hacker" would easily access it by simply getting into code, and viewing all the information, then he would read/write all the data inside.
What would be the best solution to prevent this issue? I think high-level Databases like MongoDB would have some-kind of protection against other users accessing it.
How can make sure only necessary users can access database and other users can't enter it by viewing uri variable?
If not is there ANY other way i can do it? So user can't access Database at all, But i would read and write files from database.
You have no easy way of hiding the credentials. Instead, create a user with the minimal required permissions in the database, and use these credentials in your distributed code.
If you are worried about the users being able to see plain-text IP addresses, you should hash and salt them before inserting them to the database.
I have coded a Python Flask application, and I run two instances of it on two different web servers. Every time a HTTP request is made to the application, a new connection to my MySQL database is created. In my application, there is a table of accounts, and each account has an integer balance. The problem is, I discovered that if a user makes multiple requests to a URL route that subtracts from an accounts balance quickly, they can end up with a negative balance because the two requests are executed at the same time.
Basically my question is, how can I make it so that when I am running a query on a row's balance column, that row will be untouchable by any other connections, of which there may be many? I would like to leave all other rows in the table editable, I would just like to kind of "lock" a single row so that users can't "double spend" their balance, etc., without locking the entire table for performance's sake.
Or perhaps I am approaching this completely wrong -- sorry if I am, I'm quite new to this.
I did ask a question on a different account when I first started coding this application regarding the proper way to do this, but it got downvoted to hell, and now I'm in this mess.
I have looked into MySQL transactions, but I don't understand them very well, and I don't think that I should be using them here, or am I wrong?
Thank you!