"Brian A. Seklecki" <lavalamp@xxxxxxxxxxxxxxxxxxxxxx> writes: > If a "bad person" were to somehow obtain a copy of the source code with a > password embedded in the connect string (Steal it from a developer who > uses Windows, or maybe convince Apache to not interpret PHP before sending > to the client, something stupid like that), they would still be unable to > connect without a client certificate. So they steal the client certificate file instead of (the file containing) the password. How exactly is this more secure? regards, tom lane
