Reputation: 1022
Postgres accepts any password
I have the following code which connects to a database on my remote server (the connection script resides on the same server):
Database::$ErrorHandle = new PDO('pgsql:host=111.222.33.44;dbname=mydatabase;', 'postgres', 'mypassword', $db_settings);
The problem is I can change the password to be anything at all and the connection is still made! Like seriously what the hell!?!
Can my database be connected to (providing you know the IP and db name) by anyone from a PHP script running on a different server?
How can I enforce passwords, I have looked at the following stack overflow page and did what they said but still no luck: How to change PostgreSQL user password?
I am running Ubuntu 12.04 server with PHP 5.5 and Apache2
Upvotes: 16
Views: 4884
Answers (1)
Reputation: 6822
Off course your postgresql database can be properly configured to only connect with authenticated users even certain users (Roles in Postgres) from certain IPs/sockets.
Some considerations:
Do you see data? Or can you just connect to the server? Can you list the databases?
Look at your pg_hba.conf and setup the proper permissions, per role per database per source
Did you grant access to the
mydatabaseto everyone? Which roles did you grant access?Does the database have its tables in the public scheme? And granted access to the public?
Yes, with this configuration everyone who knows your IP and database name can connect to your database.
Upvotes: 11
Related Questions
- In PostgreSQL, how to accept *any* password for the user "postgres"?
- Postgres password authentication fails
- password for postgres
- postgres users can login with any or no password
- No password prompt in PostgreSQL connection
- PostgreSQL prompts for password before setting one
- Why doesn't Postgres ask for password for user postgres?
- Postgres password authentication issue
- Postgresql does not prompt for password
- PostgreSQL: Why can I connect to a user with a set password without having to give the password?