When someone hits a php page the server runs the script executing the login and password and just sends results to the users. (unless I'm mistaken) So the user can't see that login name and password. If they view the source it just shows the html the script generated. So is the application you are giving them access to one that allows them to view and modify scripts on that site? Let's say to access the database the script logs in with user "root" pass "password". The script would log into the db with those credentials and then prompt the user for their login and password. Their login and password would be stored on a table within the database that is open. Their response would be checked and they would be granted access to the next page. The next page would the log back into the database still not viewed by the client and then pull data as your script executes or publish data all in the background while the client is just seeing the html that the script generates. I don't see how they could see what is written on the script unless they are logged in to the server or the application you are talking about them accessing is one that allows them to view scripts etc. If I'm wrong or if there is something I'm missing here please let me know.
Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -----Original Message----- From: wcb [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 04, 2003 2:55 PM To: Larry Brown Subject: Re: Hiding the password Hi! I may be misunderstanding some things. However, as best I can here is what I am thinking. I believe that people can find out my id and password because I use scripts to permit people to enter information or delete information. I have been setting up a little housing registry and also a learning/testing site for example. So I have (in these cases) php scripts allowing people to log in and then allowing them to access the applications. The scripts always have to be the "localhost" connection to the database, so they have to log in and all users have access to my scripts. So (as I see it) everyone could potentially see the id and password. On the other hand that doesn't seem to be a huge worry because unless they can connect as localhost using their own scripts or application, then they have to use my scripts and they can't do anything especially evil (not that they want to . . .). I would definitely agree that if you want airtight security you have to do your own hosting. . . However, at the moment I'm busy with other things so that just isn't a possibility. I'd love to have full access to the user privileges, etc. but that will be maybe a year from now. . . Thanks! -warren > First, why are we conceding that "everyone can find out your id and > password"? Your hosting company has your site separated from other > customers' sites right? So we are just talking about the development team > for your site being privy to this information. > > Second, if you are referring to the staff of the hosting company, you can't > avoid their ability to access data via your login scripts period. As far as > I know they can view all of your communication with the MySQL database and > can get that information. If you want tight security hosting it yourself is > a must in my view. > > Larry S. Brown > Dimension Networks, Inc. > (727) 723-8388 > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php