First, why are we conceding that "everyone can find out your id and password"? Your hosting company has your site separated from other customers' sites right? So we are just talking about the development team for your site being privy to this information.
Second, if you are referring to the staff of the hosting company, you can't avoid their ability to access data via your login scripts period. As far as I know they can view all of your communication with the MySQL database and can get that information. If you want tight security hosting it yourself is a must in my view. Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -----Original Message----- From: wcb [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 04, 2003 1:51 PM To: Mark; MySQL Subject: Re: Hiding the password It isn't at all difficult to grasp. Please carefully (and exercising a certain amount of patience) read my post and the previous post upon which my post was based. We are acknowledging that EVERYONE can find out your id and password. The question reformulated is: "Given that one's MySql environment may not be accessible in terms of privs (which is the case for a lot of people, who are paying for hosting by a third party) and given that we CAN'T hide the id/password combination, is the standard arrangement that hosts use (which is to ensure that only localhost can access the database) adequate to prevent people from doing unwanted things in your database? NOTE that I'm assuming that one has a script on localhost, and all users are from another domain, and also assuming that the script is properly set up to constrain the activities of users, does it even matter that people can determine the id/password combination??" Thanks for patient responses. Cheers! -warren > > > Perhaps gurus can comment on what I'm suggesting here - if the database is > > set up so that only "localhost" can access it, then you can use a php or > > PERL script to allow people from elsewhere to cruise in and make queries > > as your script allows. > > Why is this so difficult to grasp? As I, and many others, have pointed out, > repeatedly, it does not matter how many layers you wrap around your > password-retrieval code, as soon as you make the end-result > accessible/readable by your web-CGI, you have done just that: made the > user/password accessible by your web-daemon -- hence, made it accessible to > everyone with access to your web-server. > > And no, adding some sort of access-control within your CGI is equally > useless: as a user being hosted on your web-server I would not bother to run > your CGI, but simply copy it for ocular inspection. :) > > > Certainly I'd appreciate comments on this by people in the know, because > > it is an issue that so many people face... > > Perhaps those people should do what I do: create special MySQL users > (@localhost), unprivileged to the max, with only very narrow SELECT > privileges to the databases they are supposed to read data from, and use > those users to access the MySQL server in your CGI. > > - Mark > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
