Prestashop - 1.4 Manuel De L’Administrateur
The
allow_url_include
directive is used to allow to include any file via the
require
and
include
statements, even if it does not come from your Web
server. This option must be set to OFF, because if one application on your
web server suffers of "include vulnerability", users will be able to include
any file from any server and those will be executed on your own server.
any file from any server and those will be executed on your own server.
In short, it is highly recommended to have the following directives set
to the indicated values:
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off
MySQL configuration
MySQL often has an administrator account as default ("root", "admin"...),
which gives access to all of the databases' content, no matter who the
database is managed by. The administrator has all the rights, and can do
database is managed by. The administrator has all the rights, and can do
every possible actions. You therefore need to safekeep your databases, so
as to prevent your web applications from succumbing to
as to prevent your web applications from succumbing to
(which can happen when a user succeeds in obtaining the admin
password).
password).
If you just installed MySQL, do add a password for the root account,
who has no password as default.
who has no password as default.
One user per web application
Each time you install a new web application on your server, you must
create a new MySQL user when just the necessary rights to handle that
create a new MySQL user when just the necessary rights to handle that
application's data. Do NOT use the same username to handle the
databases for all of your installed web applications.
databases for all of your installed web applications.
Let's say we manage MySQL with user account that can create new users.
Let's do just that, using the following command line:
Let's do just that, using the following command line:
mysql -u USERNAME -p PASSWORD
...or using the following SQL query:
mysql> USE mysql;
mysql> CREATE USER 'username'@'servername' IDENTIFIED BY 'new_password';
Note that your host might give you access to an online tool to do MySQL
administration tasks more easily, such as cPanel. Do use that, since you
probably won't have access to the command line in that case.