When someone hits a php page the server runs the script executing the login
and password and just sends results to the users.  (unless I'm mistaken)  So
the user can't see that login name and password.  If they view the source it
just shows the html the script generated.  So is the application you are
giving them access to one that allows them to view and modify scripts on
that site?  Let's say to access the database the script logs in with user
"root" pass "password".  The script would log into the db with those
credentials and then prompt the user for their login and password.  Their
login and password would be stored on a table within the database that is
open.  Their response would be checked and they would be granted access to
the next page.  The next page would the log back into the database still not
viewed by the client and then pull data as your script executes or publish
data all in the background while the client is just seeing the html that the
script generates.  I don't see how they could see what is written on the
script unless they are logged in to the server or the application you are
talking about them accessing is one that allows them to view scripts etc.
If I'm wrong or if there is something I'm missing here please let me know.

Larry S. Brown
Dimension Networks, Inc.
(727) 723-8388

-----Original Message-----
From: wcb [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 04, 2003 2:55 PM
To: Larry Brown
Subject: Re: Hiding the password

Hi!

I may be misunderstanding some things.  However, as best I can here is what
I am thinking.

I believe that people can find out my id and password because I use scripts
to permit people to enter information or delete information.  I have been
setting up a little housing registry and also a learning/testing site for
example.  So I have (in these cases) php scripts allowing people to log in
and then allowing them to access the applications.  The scripts always have
to be the "localhost" connection to the database, so they have to log in and
all users have access to my scripts.  So (as I see it) everyone could
potentially see the id and password.    On the other hand that doesn't seem
to be a huge worry because unless they can connect as localhost using their
own scripts or application, then they have to use my scripts and they can't
do anything especially evil (not that they want to . . .).

I would definitely agree that if you want airtight security you have to do
your own hosting. . .  However, at the moment I'm busy with other things so
that just isn't a possibility.  I'd love to have full access to the user
privileges, etc. but that will be maybe a year from now. . .

Thanks!

-warren




> First, why are we conceding that "everyone can find out your id and
> password"?  Your hosting company has your site separated from other
> customers' sites right?  So we are just talking about the development team
> for your site being privy to this information.
>
> Second, if you are referring to the staff of the hosting company, you
can't
> avoid their ability to access data via your login scripts period.  As far
as
> I know they can view all of your communication with the MySQL database and
> can get that information.  If you want tight security hosting it yourself
is
> a must in my view.
>
> Larry S. Brown
> Dimension Networks, Inc.
> (727) 723-8388
>



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to