webmaster
Wed, 20 Sep 2000 02:16:59 -0700
Jan, All I can say is 1. Thanks for the handler. I can't remember the last time I saw a new handler being talked about here. 2. I'm glad I've got some real discussion going on this list. It is often too quiet and full of moans when it could be so much more. At least this encourages to share things. It would be nice to see more less obvious handlers being discussed. Ade Atobatele [EMAIL PROTECTED] -------- Visit us at Nigeria.com - Nigeria on the Net (http://www.nigeria.com) Sign up to my.Nigeria.com today and discover Nigeria via email (http://my.nigeria.com) Advertise on Nigeria.com and reach Nigerians across the world. (http://www.nigeria.com/About_Us/Advertise/advertise.html) -------- > -----Original Message----- > From: Jan Peter Hecking [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 20, 2000 8:33 AM > To: [EMAIL PROTECTED] > Subject: Re: SQL Handler > > > On Wed, Sep 20, 2000 at 08:09:01AM +0100, John McCormac wrote: > > Jan Peter Hecking wrote: > > > > > > <!--newsclipper > > > <input name=sql driver="dbi:mysql:test" user="testuser" > pass="somepassword" query="select * from sometable"> > > > --> > > > > This would be a very dangerous thing to include in a webpage without > > properly securing MySQL first and making sure that the user has very > > limited read-only permissions. The HTML is viewable in any browser so a > > potential attacker would have a valid username/password combination for > > the database. Making MySQL run as localhost only (without networking > > facilities) may go some of the way to securing it. > > Absolutely correct. Even while the actual NewsClipper command is > only included in the output page in case an error occures during > execution. I should have pointed that out and excuse for not doing > so. But this handler was never meant for production use but rather > as an example to show Ade how it could be done. > > I've attached a new version of the sql handler that reads db > connection data from a file you have to provide like this: > > <!--newsclipper > <input name=sql dbconf="/wwwusers/db.cfg" query="select * from > sometable"> > --> > > db.cfg looks like this: > > DRIVER=dbi:mysql:test > USER=test > PASS=test > > bye, > Jan > > -- > Jan Peter Hecking eMail: [EMAIL PROTECTED] > Student @ University of Rostock, Department of Computer Science > pgp pubkey: http://www.informatik.uni-rostock.de/~jhecking/pgp/ > Technews -- Comics -- Bookmarks --> http://deathgate.dhs.org/ > - If you would like to unsubscribe from this mailing list send an email to [EMAIL PROTECTED] with the body "unsubscribe newsclipperdevlist YOUR_EMAIL_ADDRESS" (without the quotes) or use the form provided at http://www.NewsClipper.com/TechSup.htm#MailingList.