mySQL: PHP or direct access?
pete at lcsql.com
Fri Aug 14 01:38:54 CEST 2015
Thanks Dave. I think it's beginning to sink in.
In answer to your question, I never trust my users!
On Thu, Aug 13, 2015 at 4:17 PM Dave Cragg <dcragg at lacscentre.co.uk> wrote:
> > On 13 Aug 2015, at 23:56, Peter Haworth <pete at lcsql.com> wrote:
> > Thanks Dave. That's good info.
> > My questions are specifically related to mySQL which is able to accept
> > remote connections by design.
> Sorry if I wasn't clear. I was suggesting that it's generally a bad idea
> to allow remote connections. This would allow brute force attacks.
> (Guessing user names and passwords)
> > I see your point about passing the credentials but, as mentioned to Bill,
> > doesn't opening the database connection using SSL take care of that?
> > for your point 3.
> It wasn't so much the passing of credentials, but how to keep the
> credentials private. I was imagining a case where the same credentials were
> shared by all instances of your application. How are they stored in the
> application. Can a user discover them? If so, the user can access the
> database directly using the command line or a MySQL utility application
> (e.g. Navicat) and bypass any sanitizing used by your application. Do you
> trust your users? :-)
> > I also see your point about the need to update credentials on each
> > Don't have a follow up on that one :-)
> > I do like the idea of only a single connection to the db from the server
> > side script. But don't you then start getting into multiple thread
> > for performance reasons?
> I've never really thought about that. I've never experienced such a
> > Once again, just trying to understand all the implications before going
> > down the wrong path.
> A good idea. It's also let me review why I set things up the way I do.
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
More information about the use-livecode