mySQL: PHP or direct access?

[Dave Cragg]

> On 13 Aug 2015, at 23:56, Peter Haworth <pete at lcsql.com> wrote:
> 
> Thanks Dave.  That's good info.
> 
> My questions are specifically related to mySQL which is able to accept
> remote connections by design.

Sorry if I wasn't clear. I was suggesting that it's generally a bad idea to allow remote connections. This would allow brute force attacks. (Guessing user names and passwords)

> 
> I see your point about passing the credentials but, as mentioned to Bill,
> doesn't opening the database connection using SSL take care of that?  Same
> for your point 3.

It wasn't so much the passing of credentials, but how to keep the credentials private. I was imagining a case where the same credentials were shared by all instances of your application. How are they stored in the application. Can a user discover them? If so, the user can access the database directly using the command line or a MySQL utility application (e.g. Navicat) and bypass any sanitizing used by your application. Do you trust your users? :-)

> 
> I also see your point about the need to update credentials on each client.
> Don't have a follow up on that one :-)
> 
> I do like the idea of only a single connection to the db from the server
> side script.  But don't you then start getting into multiple thread issues
> for performance reasons?

I've never really thought about that. I've never experienced such a problem. 

> 
> Once again, just trying to understand all the implications before going
> down the wrong path.

A good idea. It's also let me review why I set things up the way I do.