Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to change Database prefix in Installation Process #631

Closed
Serverfrog opened this issue Jul 28, 2016 · 9 comments
Closed

Ability to change Database prefix in Installation Process #631

Serverfrog opened this issue Jul 28, 2016 · 9 comments

Comments

@Serverfrog
Copy link

Serverfrog commented Jul 28, 2016

It would be very good if the Table Prefix for the database could be changed in the Installation Process.
The best practice would be some random nonce per default.
Currently: oc_%tablename%
Best Practice oc%random_nonce%_%tablename% or user defined

@phsc84
Copy link

phsc84 commented Jul 28, 2016

Not the same, but at least similar to #527

@Serverfrog
Copy link
Author

  • Removed part with the switchen from oc_ to nc_

@nickvergessen
Copy link
Member

The problem is, that some table names already reach the 30 char limit of one of the supported DBMS with the 3 character prefix. So if an option is added, it can only be 3 characters long.

However, the best practice advice is to use one database per installation, then you don't need to change the prefix.

So I will close this, since oc/nc is handled in #527 and the other thing can not be fixed.

@Serverfrog
Copy link
Author

but what is with a user defined option? if the User know that his database had not this limit it would be the best if he could change it on the start and not write a long alter script

@nickvergessen
Copy link
Member

why would you even want to change it, it's only 3 characters somewhere in your backup, nothing you really should care about.

@Serverfrog
Copy link
Author

if there is a SQL Injection, the hacker must not guess the prefix of the tables and can run Scripts without further research

@phsc84
Copy link

phsc84 commented Aug 4, 2016

This would not really enhance the security. You can get table names very easily by executing an additional query.
MySQL/MariaDB/Postgres:
select table_name from information_schema.tables;
Oracle:
select table_name from all_all_tables;

Afterwards you can extract the table prefix and you're done. For someone, who already managed to get SQL access to your database, this would be no hurdle.

@tflidd
Copy link
Contributor

tflidd commented Apr 8, 2018

So why do we need the prefix at all?
One use case: You want to install a second test setup but you only have 1 database.

You can only manually modify the prefix of the table names and then change the config/config.php setting accordingly.

@nickvergessen
Copy link
Member

So why do we need the prefix at all?

Well it's hard to remove it and also hard to fully implement it, which is why we are stuck in the current situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants