advice on a Rev-plus-internet setup (off-topic)

[viktoras didziulis]

Hi Nicolas,

any communication between the client and the server can be sniffed. So 
passwords that client passes to the server are not sufficient to protect 
the database. As Ken wrote, you can try setting up different access 
levels for different users in MySQL. And never trust the submitted 
content, which means your relay script has to prevent any access to the 
database unless the submitted string is not what it is supposed to be.

For example you can use regular expressions in the serverside script to 
detect anything that should not come from the client - something like this:
unless ($q=~m/|alter |insert|truncate|drop |modify|create|\0|use |check 
| key /i)
{
#pass sql string ($q) to the database and return result
}
else
{
# Access denied to prevent SQL injection attempt
print "sorry, you can't";
exit 0;
}

Best wishes
Viktoras

Nicolas Cueto wrote:
> Many thanks to Viktoras and Len for the server side "relay"
> explanation.
>
> I can now use Rev to connect with a MySQL database stored on my
> web-host's server thru a php relay-script that is also on the same
> server.
>
> One other thing, now. The issue of security has been brought up. For
> now,
> my solution has been to place my server-side php relay-scripts in a
> password
> protected folder. This way, when my Rev stack calls the php
> relay-script, I
> include the user name and password for that folder in the url.
>
> Is that sufficient? Or, what's the other avenue I should now be
> following?
>
> Again, many thanks for both the help and patience.
>
> Cheers,
>
> Nicolas Cueto
>
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
>
>