On Sat, Apr 20, 2013 at 9:37 PM, Glob Design Info <info@xxxxxxxxxxxxxx> wrote: > Night now this is just a test server. On the real thing I'll do it right. > > > On 4/20/13 10:58 AM, Tedd Sperling wrote: >> >> On Apr 20, 2013, at 11:44 AM, Stuart Dallas <stuart@xxxxxxxx> wrote: >> >>> On 20 Apr 2013, at 16:25, Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx> wrote: >>> >>>>> Why are you allowing anyone to connect to your database from a form? >>>>> >>>> A little OT, but... >>>> What do you mean by this question? How do you check someone's >>>> credentials if not by connecting to a db to verify the login? Cause I'm >>>> doing the same kind of thing all over the place. With good practices on >>>> validation and such before doing my query of course. >>> >>> I'm pretty sure that's not what tedd meant. The code is logging in to the >>> database server using the username and password from the form. There are >>> very few legitimate reasons to be doing this, so the question is well worth >>> asking. >>> >>> -Stuart >> >> Stuart is exactly right. >> >> If you are checking someone's credentials to access your site, such as a >> user, then giving them the "keys to the kingdom" is a bit of an overkill. >> >> My advice, set up "user_id" and "password" fields in a "user" table for >> users you want to access some portion of your site, here's the code to do >> that: >> >> http://sperling.com/php/authorization/log-on.php >> >> Where I have said "// define your user id here" is the place to actually >> open your database and access your user table to gather the correct user_id >> and password. >> >> I also suggest that when you open the database you only use literals from >> a config.php file ($dbhost,$dbuser,$dbpass) for accessing the actual >> database and then check the user_id and password before giving them >> authorization to private areas. >> >> Keep the private stuff private! >> >> Cheers, >> >> tedd >> >> _____________________ >> tedd.sperling@xxxxxxxxx >> http://sperling.com >> That is a great point -- I was thinking this was a private app, but you should never ever ever ever ever ever (x infinity) allow wild wild web access to your database like this. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
