Night now this is just a test server. On the real thing I'll do it right.

On 4/20/13 10:58 AM, Tedd Sperling wrote:
On Apr 20, 2013, at 11:44 AM, Stuart Dallas <stu...@3ft9.com> wrote:

On 20 Apr 2013, at 16:25, Jim Giner <jim.gi...@albanyhandball.com> wrote:

Why are you allowing anyone to connect to your database from a form?

A little OT, but...
What do you mean by this question?  How do you check someone's credentials if 
not by connecting to a db to verify the login?  Cause I'm doing the same kind 
of thing all over the place.  With good practices on validation and such before 
doing my query of course.
I'm pretty sure that's not what tedd meant. The code is logging in to the 
database server using the username and password from the form. There are very 
few legitimate reasons to be doing this, so the question is well worth asking.

-Stuart
Stuart is exactly right.

If you are checking someone's credentials to access your site, such as a user, then 
giving them the "keys to the kingdom" is a bit of an overkill.

My advice, set up "user_id" and "password" fields in a "user" table for users 
you want to access some portion of your site, here's the code to do that:

http://sperling.com/php/authorization/log-on.php

Where I have said "// define your user id here" is the place to actually open 
your database and access your user table to gather the correct user_id and password.

I also suggest that when you open the database you only use literals from a 
config.php file ($dbhost,$dbuser,$dbpass) for accessing the actual database and 
then check the user_id and password before giving them authorization to private 
areas.

Keep the private stuff private!

Cheers,

tedd

_____________________
tedd.sperl...@gmail.com
http://sperling.com



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to