On Apr 20, 2013, at 11:44 AM, Stuart Dallas <stu...@3ft9.com> wrote:

> On 20 Apr 2013, at 16:25, Jim Giner <jim.gi...@albanyhandball.com> wrote:
>>> Why are you allowing anyone to connect to your database from a form?
>> A little OT, but...
>> What do you mean by this question?  How do you check someone's credentials 
>> if not by connecting to a db to verify the login?  Cause I'm doing the same 
>> kind of thing all over the place.  With good practices on validation and 
>> such before doing my query of course.
> I'm pretty sure that's not what tedd meant. The code is logging in to the 
> database server using the username and password from the form. There are very 
> few legitimate reasons to be doing this, so the question is well worth asking.
> -Stuart

Stuart is exactly right.

If you are checking someone's credentials to access your site, such as a user, 
then giving them the "keys to the kingdom" is a bit of an overkill.

My advice, set up "user_id" and "password" fields in a "user" table for users 
you want to access some portion of your site, here's the code to do that:


Where I have said "// define your user id here" is the place to actually open 
your database and access your user table to gather the correct user_id and 

I also suggest that when you open the database you only use literals from a 
config.php file ($dbhost,$dbuser,$dbpass) for accessing the actual database and 
then check the user_id and password before giving them authorization to private 

Keep the private stuff private!




PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to