On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • tomvanminnebruggen Reply #1, 8 years ago
    Hello,

    The databaseuser of the database in phpmyadmin has full rights in phpmyadmin (alter, create routine, drop, index, lock tables, select, update, delete, execute, ...)

    2 question:


    1. Is it necessary to give the databaseuser all this rights to install modx, ...
    2. is modx evolution protected against sql-injection?


    thanks
    • 1. The permissions the database user has completely depends on what permissions he was given in MySQL. That has nothing at all to do with MODx.

      2. Yes, with the caution that it is possible to write snippets and plugins with PHP code that itself is not secure. For that reason, Evo has the option of preventing Manager users from using the @EVAL feature of TVs.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
      • tomvanminnebruggen Reply #3, 8 years ago

        1. and is it necessary to give all the permissions in MySQL to run MODX
        2. thanks. If i use snippets and plugins from modx-site, then there wil be no problem?
        • 1. Not all, but it depends on what some of your snippets or plugins are doing. Minimum should probably be:

          SELECT, INSERT, UPDATE, DELETE for data, CREATE, ALTER, INDEX, DROP for tables, and possibly CREATE TEMPORARY TABLES.

          2. We certainly expect so! You should subscribe to the notices newsletter just in case, though. http://forums.modx.com/thread/251/security-notice-subscription-options#dis-post-1649
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org