Warning about SQLBuddy

[i]This information is for those with multiple MySQL db’s on their server.[/i]

The SQLBuddy mod is one of the most intriguing modules I’ve seen yet for LiteCart.  I love it!  However, it can pose a HUGE security risk.  After I installed it, every single one of my databases showed up in LiteCart's admin!

[b]IMPORTANT[/b]: If you want to run SQLBuddy, make sure that you give each and every database on your server a unique username and password.  If you don’t, EVERY SINGLE ONE OF THEM will be visible to whomever has access to your admin - [i]AND[/i] all of them can be edited via this mod - not just your LC db.

I cannot stress this enough.  It will list EVERY single database you have on your server that uses the same username/password combo.  It not only allows anyone with access to your admin to [i]see[/i] all your databases, but also to [i]change[/i] them and/or [i]delete[/i] them.

The only way around this is to make sure each db has a unique username and password. 

This seems logical to me now, but before this I had no clue that having the same password for multiple db’s could be a security risk like this.  Knowing this now, I recommend having unique passwords whether or not you’ll run SQLBuddy.  You just never know when your data can/will be exposed.

And if this doesn’t scare you enough, here’s another thought - we also don’t know if any information is being sent anywhere with this mod.  If by some chance your password gets compromised, you would only lose this db - not every one of them that you’ve set up.

Sorry to be so dramatic, but this one took me completely by surprise.  In today's day and age, you can't be too careful.  And if you don't backup your db regularly now, you really should start.  That would turn what could be a tragedy into merely an inconvenience.

I hope this helps someone else. 

Marc

The problem is not sqlBuddy but the permissions given to the mysql user.
And do not ever remove your .htaccess protection when you have sqlbuddy

You're correct.  It's not SQLBuddy's fault, but it exposes the problem.  I was talking about an "internal" threat.  The .htaccess file is for external threats.

Let's say a cart owner gives an employee, or an SEO person, access to LiteCart's admin section.  That person would then have open access to every database on the server that used the same username/password combo right from within LiteCart's admin using the SQLBuddy mod.

At the very least, even the admin of a cart could make a mistake by selecting the wrong db to make changes on, and then wonder what happened when something breaks.  At the end of a long day, [i]anyone[/i] can make a mistake.  I speak from experience.  ; )

I believe my warning still stands - don't use the same username/password for multiple databases. If the permissions are set high enough, it could be a recipe for disaster.

Other than that, I'm lovin' SQLBuddy.  I don't have to jump between programs as much now since this let's me do SQL right from within LiteCart.  Extremely cool!