# HostGator Fail

My boss / the guy I work with (it's more partnership than subordinate, but he pays me) and I use HostGator for our server needs. They're pretty awesome, and affordable for what you get. SSH access, "unlimited" disk space and bandwidth, but perhaps second-most importantly to us is Remote MySQL.

I still suffer the pains of developing locally with a database. The database structure has to be synced with the live server, and sometimes it needs the same data. It's annoying if half-way through my "comment system" branch I think "Oh, this will be a cool feature down the road..." and end up having to modify or add some table both on my local machine and on the live server. Once you have Remote Databases enabled, though, everything is nice. (I guess I can make my computer the remote database enabled one, but my IP changes.)

Anyway, before I get too far off-topic about the niceness of remote databases, I want to mention a brief problem we had today.

For reasons of laziness we haven't yet ported our database on an old HostGator account we shared with my boss's brother, and so on our own personal HostGator account now we just have it connecting remotely to the old one. Does this slow things down? Yes, but it's not too noticeable, and we'll get around to migrating eventually. But today it stopped connecting.

Once I was aware of it I contacted HostGator support. The guy I talked to was very helpful and didn't treat me like an idiot, and we resolved the problem fast enough (albeit none of us are sure why the fix works). So where is the fail I'm referring to?

All I ever had to say was that my domain (gave them the name) was having issues with a remote database connection. They went in and added the "%" wildcard for IP's on the server that's making the request, not granting it, which already had a "%". That's why we're confused it worked, as it would suggest the granting needs to be both ways. But can you see the fail?

With things so potentially valuable like websites, it's important that the support in charge of the servers verifies credentials. While I'm not particularly worried about having a "%" wildcard, it is a security risk because anything can pound your DB and try to get in, from anywhere. It would be so easy to social engineer these people into putting "%" in there for you, and I bet it wouldn't be too difficult with nothing but the domain name to get them to do other more harmful stuff.

So while I like HostGator, and it is nicer for the customer to not have to jump through many security hoops to get something simple resolved, it is a critique on them and anyone else when they don't use very secure authentication methods. I'm not familiar with enough hosting companies (or customer support practices) to determine if this is a widespread problem, but it does seem worth fixing.

P.S. This site doesn't use HostGator, but I may change eventually for the greater disk space reasons alone.

#### Posted on 2009-07-24 by Jach

Tags: daily life, stupidity

LaTeX allowed in comments, use $\\...\\$\$ to wrap inline and $$...$$ to wrap blocks.