Skip to topic | Skip to bottom
Home
TWiki

Log In

TWiki.DatabasePluginr1.1 - 05 May 2003 - 11:52 - Members.guesttopic end
Start of topic | Skip to actions

DatabasePlugin (Version 1.3)

Provide secure access (read and write [mysql only]) to data in a database allowing the user to specify the resulting output format as well as editable tables. 'secure', in this case, just means not putting passwords in clear text into a TWiki page but placing it either in a 'secure' flat TWiki file or in a database.

NOTE:
Security is only achieved if:

  1. File bin/DatabasePluginConfig.pm is not readable through a web page and has been locked by updating the .htaccess file in bin (or locking via whatever your security procedure is on your web server)
  2. File bin/DatabasePluginEdit has been locked (requiring a valid user) by updating the .htaccess file in bin (or locking via whatever your security procedure is on your web server)
  3. People with login/ftp access to your web server do not have read access to bin/DatabasePluginConfig.pm

This plugin references bin/DatabasePluginConfig.pm. This file contains one required section and one optional section.

  • Required - Description of where the primary DatabasePlugin database is located and
  • Optional - Any local database specific information if the above required section says that the db_driver is Local.

Again, this plugin provides access to database information in a semi-secure manner. Since clear text passwords in a TWiki page is not good, the passwords to databases are themselves placed into a DatabasePlugin database (either located in a real database or located in the bin/DatabasePluginConfig.pm file). This database contains the following fields:

Column Name Description
ID Standard auto_increment column to allow for unique db entries (optional if a real database)
description This field acts as the look-up mechanism for the indirection. A TWiki page would reference this name instead of having to publicly specify user names, passwords, etc.
driver Database driver name (currently only mysql has been tested)
db_name The name of the database in which the table_name is found
db_sid The SID of the database in which the table_name is found (optional: used for Oracle)
table_name The name of the table found in the db_name database
ro_username A user name providing read-only access to the specified table
ro_password The password for the specified ro_username
hostname The name of the host on which the specified db_name lives

To secure the database information allowing access to the above database, a Perl .pm is created and placed into bin where the .htaccess file (or whatever your security mechanism is) is updated such that this file can NOT be viewed from a web browser. This file contains variables defining access information to the above database. The variables are:

$db_driver DBI driver -- Tested values are: mysql, Oracle, and Local (where Local means instead of the indirection into the database to get the further database information the info is obtained locally)
$db_database The name of the database in which the table described above can be found
$db_sid The SID of the database in which the table described above can be fond (optional: used for Oracle)
$db_table The table in which the above information is found. I used DatabasePlugin as the table name, though you can specify anything you wish
$db_username The user name allowing access to the above database (for both read and write access)
$db_password The password allowing $db_username access to the table (for both read and write access)
$db_hostname The hostname on which the above table can be found
$db_edit_prefix The prefix used when generating the URL for invoking phpMyAdmin. The value of this by default is 'https' for added security, though could be set to 'http'
$db_edit_url The rest of the URL which points to phpMyAdmin. This can either be a relative path or absolute. If absolute, then the form would look something like machine.do.main/path_to_where_phpMyAdmin_can_be_found

Syntax Rules

  • %DATABASE_TABLE{description="db1" headers="hdr1,hdr2,hdr3" columns="col1,col2,col3"}%
    Key Default Description of key
    description   Lookup "key" in the DatabasePlugin database to get the info on the database to access
    columns (optional) "*" The columns in the table to return
    headers (optional) columns values Table headers.

  • %DATABASE_SQL_TABLE{description="db1" headers="hdr1,hdr2,hdr3" command="sql command"}%
    Key Default Description of key
    description   Lookup "key" in the DatabasePlugin database to get the info on the database to access
    headers   Table headers.
    command   Any SQL command

  • %DATABASE_REPEAT{description="table_description" columns="col1,col2,col3"}% .... user formatting .... %DATABASE_REPEAT%
    Key Default Description of key
    description   Lookup "key" in the DatabasePlugin database to get the info on the database to access
    columns (optional) "*" The columns in the table to return

  • %DATABASE_SQL_REPEAT{description="table_description" command="..SQL COMMAND.." columns="col1,col2,col3"}% .... user formatting .... %DATABASE_SQL_REPEAT%
    Key Default Description of key down
    command   Any SQL command
    description   Lookup "key" in the DatabasePlugin database to get the info on the database to access
    columns (optional) "*" The columns in the table to return

  • %DATABASE_REPEAT{description="table_description" columns="col1,col2,col3"}% .... user formatting .... %DATABASE_REPEAT%
    Key Default Description of key
    description   Lookup "key" in the DatabasePlugin database to get the info on the database to access
    columns (optional) "*" The columns in the table to return

  • %DATABASE_EDIT{description="table_description" display_text="HTML link text"}%
    Key Default Description of key
    description   Lookup "key" in the DatabasePlugin database to get the info on the database to access
    display_text (optional) "edit" The columns in the table to return

Example

Assume that the DatabasePluginConfig.pm file (locked away in bin so that a user can not view the contents) contains the following: 

$db_driver      = "Oracle";
$db_database    = "mydb";
$db_sid         = "sid";
$db_table       = "DatabasePlugin";
$db_username    = "user";
$db_password    = "123456"; # (Note: this is the clear text password)
$db_hostname    = "localhost";

Assume that the database specified above contains the following information:

ID description driver db_name table_name ro_username ro_password hostname
1 calendar_events mysql mydb kalendus_event username1 password1 localhost
2 mysql_user_info mysql mysql user username2 password2 localhost

Now if I have the following in a TWiki page and the DatabasePlugin installed, the results should be a table containing 4 columns of information.

%DATABASE_TABLE{description="mysql_user_info" columns="Host,User,Password,Select_priv"}%

If I want table column headings that differ from the database column names, I could use: %DATABASE_TABLE{description="mysql_user_info" columns="Host,User,Password,Select_priv" headers="Host Name,User Name, Password,Select Privs"}%

An optional way to do the same thing would be to use: %DATABASE_SQL_TABLE{description="mysql_user_info" command="SELECT Host,User,Password,Select_priv FROM user" headers="Host Name,User Name, Password,Select Privs"}%

Using the REPEAT functionality, you can define how the database data is displayed wrapping it in any formatting you choose. For example, if you wanted to create a single table cell containing the information for 3 fields of the Kalendus calendar, you could use the following: %DATABASE_REPEAT{description="calendar_events"}%| %startdate%
%subject%
%body% | %DATABASE_REPEAT%

Or lets say you wanted to display the next two upcoming scheduled events in the Kalendus calendar. %DATABASE_SQL_REPEAT{description="calendar_events" command="SELECT subject,body,startdate FROM kalendus_event WHERE to_days(startdate) >= to_days(now()) order by startdate limit 2"}%| %startdate%
%subject%
%body% | %DATABASE_SQL_REPEAT%

Now lets say that you wanted to give the user the ability to edit the contents of a table. NOTE: This feature assumes the availability of phpMyAdmin since it uses phpMyAdmin to provide table editing. The following is how you would edit the table described by calendar_events. %DATABASE_EDIT{description="calendar_events" display_text="Edit the above table"}%

DatabasePlugin Settings

Plugin settings are stored as preferences variables. To reference a plugin setting write %_%, i.e. Link =ExternalSite:Page text to external sites based on aliases defined in the InterWikis topic=

  • One line description, is shown in the TextFormattingRules topic:
    • Set SHORTDESCRIPTION = Provide somewhat secure access to data in a database returning the data in either table form or in a user defined format

  • Debug plugin: (See output in data/debug.txt)
    • Set DEBUG = 0

  • Set security mode (0 = allow viewing of the contents of the master DatabasePlugin database, 1 = don't allow viewing of the master database)
  • Set SECURITY = 1
  • Set SECURITY_MESSAGE = Error: For security reasons, you can't specify the main DatabasePlugin database since it contains clear text passwords.

Plugin Installation Instructions

  • Download the ZIP file from the Plugin web (see below)
  • Unzip DatabasePlugin.zip in your twiki installation directory. Content:
    File: Description:
    data/TWiki/DatabasePlugin.txt Plugin topic
    lib/TWiki/Plugins/DatabasePlugin.pm Plugin Perl module
    bin/DatabasePluginConfig.pm Plugin configuration/initialization information
    bin/DatabasePluginEdit Routine which generates a frame based HTML page for editing a MySql table. NOTE: For security reasons, you MUST add this application to your .htaccess list as requiring a valid user since the output from this script will embed the database username and password allowing write access to the tables
  • Test if the plugin is correctly installed:
    • You will need to configure your installation to know if it is working as expected.

Plugin Info

Plugin Author: TaitCyrus?
Plugin Version: 5 May 2003 (v1.3)
Change History: 5 May 2003 (v1.3) Add support for the primary DB to be in a local file instead of in a DB. It is acknowledged that this reduces security somewhat
Also added support for Oracle (by adding in the concept of a SID)
  20 Mar 2002 (v1.2): Added table editing ability
  18 Feb 2002 (v1.11): Removed hard coded $debug=1;
  16 Feb 2002 (v1.1): Added the two REPEAT functions
  20 Jan 2002 (v1.0): Initial version
CPAN Dependencies: DBI
Other Dependencies: phpmyadmin (to support the edit ability)
Perl Version: 5.0 (tested with 5.6.1 [mysql] and 5.8.0 [Oracle and Local] )
Plugin Home: http://TWiki.org/cgi-bin/view/Plugins/DatabasePlugin
Feedback: http://TWiki.org/cgi-bin/view/Plugins/DatabasePluginDev

Related Topics: TWikiPreferences, TWikiPlugins

-- TaitCyrus? - 5 May 2003

to top

End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.2 | > | r1.1 | Total page history | Backlinks
You are here: TWiki > DatabasePlugin

to top

Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback