With FX.php we call various databases using standard code provided by Chris Hansen's documentation. The server_data.php file has a standard username and password combination for accessing the databases and the related database security account gives full access to the databases.

 

Ive been advised that we should have tighter security so that hackers cannot access our databases via the web. 

 

Now we need to be able to write to the databases in the case of FMNew and FMEdit database calls so we cant have read-only security across the board. But for FMFind database calls read-only security might be OK.

 

So how do we set up the security for different kinds of database calls? The server_data.php file only mentions one username/password combination. If we had different accounts for FMNew/FMEdit/FMDelete and FMFind, how do we set this up in server_data.php - do we need 2 server_data.php files perhaps?

 

 

Well, unless they have access to the actual server, they can never see what is in server_data.php

 

And if they are on your web server with that level of access, I'd suggest you have bigger things to worry about...

 

Anyway, you can on any page, or for any call, use a different server_data file, maybe server_data_readonly and server_data_readwrite - just call it immediately before the relevant find/edit etc

 

But that doesn't make it any more secure - see above...

 

Cheers

Webko

As an example - there's a password file at http://apachescricket.com/include/db_conn.php If anyone can tell me the user or the password to the database it accesses... Then it's insecure Note: It's a dummy file, so the info in it is bogus anyway, but it proves a point Cheers Webko

Thanks webko - we've been told that with our current set up someone could duplicate a web page and somehow access our databases but Im not sure how.  If Ive understood you correctly, you are saying that they could only do this if they knew the username and password quoted in the server_data.php file. 

That's right...