mySQL: PHP or direct access?

Peter Haworth pete at lcsql.com
Thu Aug 13 19:38:54 EDT 2015


Thanks Dave.  I think it's beginning to sink in.

In answer to your question, I never trust my users!

On Thu, Aug 13, 2015 at 4:17 PM Dave Cragg <dcragg at lacscentre.co.uk> wrote:

>
> > On 13 Aug 2015, at 23:56, Peter Haworth <pete at lcsql.com> wrote:
> >
> > Thanks Dave.  That's good info.
> >
> > My questions are specifically related to mySQL which is able to accept
> > remote connections by design.
>
> Sorry if I wasn't clear. I was suggesting that it's generally a bad idea
> to allow remote connections. This would allow brute force attacks.
> (Guessing user names and passwords)
>
> >
> > I see your point about passing the credentials but, as mentioned to Bill,
> > doesn't opening the database connection using SSL take care of that?
> Same
> > for your point 3.
>
> It wasn't so much the passing of credentials, but how to keep the
> credentials private. I was imagining a case where the same credentials were
> shared by all instances of your application. How are they stored in the
> application. Can a user discover them? If so, the user can access the
> database directly using the command line or a MySQL utility application
> (e.g. Navicat) and bypass any sanitizing used by your application. Do you
> trust your users? :-)
>
> >
> > I also see your point about the need to update credentials on each
> client.
> > Don't have a follow up on that one :-)
> >
> > I do like the idea of only a single connection to the db from the server
> > side script.  But don't you then start getting into multiple thread
> issues
> > for performance reasons?
>
> I've never really thought about that. I've never experienced such a
> problem.
>
> >
> > Once again, just trying to understand all the implications before going
> > down the wrong path.
>
> A good idea. It's also let me review why I set things up the way I do.
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



More information about the use-livecode mailing list