Unless someone else knows differently I don't think any amount of know-how from a visitor to the site will allow them to view the script itself unless some mishap happened to the web server and it stopped parsing the script and just diplayed the contents or if it didn't recognize the tags for some reason. If someone knows differently please let me know.
Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -----Original Message----- From: wcb [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 04, 2003 3:52 PM To: Larry Brown Subject: Re: Hiding the password Hi! Oh no, the people who log in cannot modify scripts. That would be suicide. . . They log via something I made that maintains an md5 hash (quite a long one) which is their "log-in flag" maintained via a cookie while they are logged in. It also requires the user's personal password (which has nothing to do with the database). Then they can access the database via scripts. The database id and password are buried in an "include" script. The scripts just do some inserting and updating on tables that "belong" to the person in question, so they can (in the case of the learning/testing application for instance) enter test questions and post tests that their students can access. I'm hoping that people can't get access to the id and password but I have always assumed that someone with ability may be able to extract the script itself and examine it. However, since they can't log in to the server (but only to my "log in" facility, which allows them access to a folder containing a script which they cannot modify) they are not "localhost" users or visitors. The scripts they can access reside on localhost, but nobody can touch the scripts. . . Thanks again! I'm feeling somewhat better! Cheers! -warren ----- Original Message ----- From: "Larry Brown" <[EMAIL PROTECTED]> To: "wcb" <[EMAIL PROTECTED]> Sent: Saturday, January 04, 2003 12:33 PM Subject: RE: Hiding the password > When someone hits a php page the server runs the script executing the login > and password and just sends results to the users. (unless I'm mistaken) So > the user can't see that login name and password. If they view the source it > just shows the html the script generated. So is the application you are > giving them access to one that allows them to view and modify scripts on > that site? Let's say to access the database the script logs in with user > "root" pass "password". The script would log into the db with those > credentials and then prompt the user for their login and password. Their > login and password would be stored on a table within the database that is > open. Their response would be checked and they would be granted access to > the next page. The next page would the log back into the database still not > viewed by the client and then pull data as your script executes or publish > data all in the background while the client is just seeing the html that the > script generates. I don't see how they could see what is written on the > script unless they are logged in to the server or the application you are > talking about them accessing is one that allows them to view scripts etc. > If I'm wrong or if there is something I'm missing here please let me know. > > Larry S. Brown > Dimension Networks, Inc. > (727) 723-8388 > > -----Original Message----- > From: wcb [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 04, 2003 2:55 PM > To: Larry Brown > Subject: Re: Hiding the password > > Hi! > > I may be misunderstanding some things. However, as best I can here is what > I am thinking. > > I believe that people can find out my id and password because I use scripts > to permit people to enter information or delete information. I have been > setting up a little housing registry and also a learning/testing site for > example. So I have (in these cases) php scripts allowing people to log in > and then allowing them to access the applications. The scripts always have > to be the "localhost" connection to the database, so they have to log in and > all users have access to my scripts. So (as I see it) everyone could > potentially see the id and password. On the other hand that doesn't seem > to be a huge worry because unless they can connect as localhost using their > own scripts or application, then they have to use my scripts and they can't > do anything especially evil (not that they want to . . .). > > I would definitely agree that if you want airtight security you have to do > your own hosting. . . However, at the moment I'm busy with other things so > that just isn't a possibility. I'd love to have full access to the user > privileges, etc. but that will be maybe a year from now. . . > > Thanks! > > -warren > > > > > > First, why are we conceding that "everyone can find out your id and > > password"? Your hosting company has your site separated from other > > customers' sites right? So we are just talking about the development team > > for your site being privy to this information. > > > > Second, if you are referring to the staff of the hosting company, you > can't > > avoid their ability to access data via your login scripts period. As far > as > > I know they can view all of your communication with the MySQL database and > > can get that information. If you want tight security hosting it yourself > is > > a must in my view. > > > > Larry S. Brown > > Dimension Networks, Inc. > > (727) 723-8388 > > > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
