Hi Nicolas,
any communication between the client and the server can be sniffed. So
passwords that client passes to the server are not sufficient to protect
the database. As Ken wrote, you can try setting up different access
levels for different users in MySQL. And never trust the submitted
content, which means your relay script has to prevent any access to the
database unless the submitted string is not what it is supposed to be.
For example you can use regular expressions in the serverside script to
detect anything that should not come from the client - something like this:
unless ($q=~m/|alter |insert|truncate|drop |modify|create|\0|use |check
| key /i)
{
#pass sql string ($q) to the database and return result
}
else
{
# Access denied to prevent SQL injection attempt
print "sorry, you can't";
exit 0;
}
Best wishes
Viktoras
Nicolas Cueto wrote:
Many thanks to Viktoras and Len for the server side "relay"
explanation.
I can now use Rev to connect with a MySQL database stored on my
web-host's server thru a php relay-script that is also on the same
server.
One other thing, now. The issue of security has been brought up. For
now,
my solution has been to place my server-side php relay-scripts in a
password
protected folder. This way, when my Rev stack calls the php
relay-script, I
include the user name and password for that folder in the url.
Is that sufficient? Or, what's the other avenue I should now be
following?
Again, many thanks for both the help and patience.
Cheers,
Nicolas Cueto
_______________________________________________
use-revolution mailing list
[email protected]
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
_______________________________________________
use-revolution mailing list
[email protected]
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
