On Apr 20, 2013, at 11:44 AM, Stuart Dallas <stu...@3ft9.com> wrote:
> On 20 Apr 2013, at 16:25, Jim Giner <jim.gi...@albanyhandball.com> wrote:
>>> Why are you allowing anyone to connect to your database from a form?
>> A little OT, but...
>> What do you mean by this question? How do you check someone's credentials
>> if not by connecting to a db to verify the login? Cause I'm doing the same
>> kind of thing all over the place. With good practices on validation and
>> such before doing my query of course.
> I'm pretty sure that's not what tedd meant. The code is logging in to the
> database server using the username and password from the form. There are very
> few legitimate reasons to be doing this, so the question is well worth asking.
Stuart is exactly right.
If you are checking someone's credentials to access your site, such as a user,
then giving them the "keys to the kingdom" is a bit of an overkill.
My advice, set up "user_id" and "password" fields in a "user" table for users
you want to access some portion of your site, here's the code to do that:
Where I have said "// define your user id here" is the place to actually open
your database and access your user table to gather the correct user_id and
I also suggest that when you open the database you only use literals from a
config.php file ($dbhost,$dbuser,$dbpass) for accessing the actual database and
then check the user_id and password before giving them authorization to private
Keep the private stuff private!
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php