On Apr 20, 2013, at 11:44 AM, Stuart Dallas <stu...@3ft9.com> wrote: > On 20 Apr 2013, at 16:25, Jim Giner <jim.gi...@albanyhandball.com> wrote: > >>> Why are you allowing anyone to connect to your database from a form? >>> >> A little OT, but... >> What do you mean by this question? How do you check someone's credentials >> if not by connecting to a db to verify the login? Cause I'm doing the same >> kind of thing all over the place. With good practices on validation and >> such before doing my query of course. > > I'm pretty sure that's not what tedd meant. The code is logging in to the > database server using the username and password from the form. There are very > few legitimate reasons to be doing this, so the question is well worth asking. > > -Stuart
Stuart is exactly right. If you are checking someone's credentials to access your site, such as a user, then giving them the "keys to the kingdom" is a bit of an overkill. My advice, set up "user_id" and "password" fields in a "user" table for users you want to access some portion of your site, here's the code to do that: http://sperling.com/php/authorization/log-on.php Where I have said "// define your user id here" is the place to actually open your database and access your user table to gather the correct user_id and password. I also suggest that when you open the database you only use literals from a config.php file ($dbhost,$dbuser,$dbpass) for accessing the actual database and then check the user_id and password before giving them authorization to private areas. Keep the private stuff private! Cheers, tedd _____________________ tedd.sperl...@gmail.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
