John McCormac
Wed, 20 Sep 2000 00:02:57 -0700
Jan Peter Hecking wrote: > > <!--newsclipper > <input name=sql driver="dbi:mysql:test" user="testuser" pass="somepassword" >query="select * from sometable"> > --> This would be a very dangerous thing to include in a webpage without properly securing MySQL first and making sure that the user has very limited read-only permissions. The HTML is viewable in any browser so a potential attacker would have a valid username/password combination for the database. Making MySQL run as localhost only (without networking facilities) may go some of the way to securing it. Regards...jmcc -- ******************************************** John McCormac * Hack Watch News [EMAIL PROTECTED] * 22 Viewmount, Voice: +353-51-873640 * Waterford, BBS&Fax: +353-51-850143 * Ireland http://www.hackwatch.com/~kooltek ******************************************** -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAzAYPNsAAAEEAPGTHaNyitUTNAwF8BU6mF5PcbLQXdeuHf3xT6UOL+/Od+z+ ZOCAx8Ka9LJBjuQYw8hlqvTV5kceLlrP2HPqmk7YPOw1fQWlpTJof+ZMCxEVd1Qz TRet2vS/kiRQRYvKOaxoJhqIzUr1g3ovBnIdpKeo4KKULz9XKuxCgZsuLKkVAAUX tCJKb2huIE1jQ29ybWFjIDxqbWNjQGhhY2t3YXRjaC5jb20+tBJqbWNjQGhhY2t3 YXRjaC5jb20= =sTfy -----END PGP PUBLIC KEY BLOCK----- - If you would like to unsubscribe from this mailing list send an email to [EMAIL PROTECTED] with the body "unsubscribe newsclipperdevlist YOUR_EMAIL_ADDRESS" (without the quotes) or use the form provided at http://www.NewsClipper.com/TechSup.htm#MailingList.