----- Original Message ----- From: "wcb" <[EMAIL PROTECTED]> To: "MySQL" <[EMAIL PROTECTED]> Sent: Saturday, January 04, 2003 6:41 PM Subject: Re: Hiding the password
> Perhaps gurus can comment on what I'm suggesting here - if the database is > set up so that only "localhost" can access it, then you can use a php or > PERL script to allow people from elsewhere to cruise in and make queries > as your script allows. Why is this so difficult to grasp? As I, and many others, have pointed out, repeatedly, it does not matter how many layers you wrap around your password-retrieval code, as soon as you make the end-result accessible/readable by your web-CGI, you have done just that: made the user/password accessible by your web-daemon -- hence, made it accessible to everyone with access to your web-server. And no, adding some sort of access-control within your CGI is equally useless: as a user being hosted on your web-server I would not bother to run your CGI, but simply copy it for ocular inspection. :) > Certainly I'd appreciate comments on this by people in the know, because > it is an issue that so many people face... Perhaps those people should do what I do: create special MySQL users (@localhost), unprivileged to the max, with only very narrow SELECT privileges to the databases they are supposed to read data from, and use those users to access the MySQL server in your CGI. - Mark --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
