The examples of holding passwords in databases (i.e. mysql) tend to encrypt
the password. Although this seems sensible (if not necessary) it douse mean
that if a user forgets there password the normal solution is to generate a
new random password and email it to them. Then I realised that this fafing
about was all a bit unnecessary. Surly if security has been breached to the
extent that the user table can be accesses chances are that the intruder
could delete data from tables or even drop them. In fact the best solution
is to set up proper database users rather than your own 'application' users.
This way you can set it up (at database level) so that for 'Punters' they
can only read most of the data and 'Administrators' have fuller access.
So maybe the conclusion is there is no point in encryption passwords but
there are very good reasons to have users an 'real' database users.
What do you lot reckon.
Ben.
--
[EMAIL PROTECTED] (ben@work until end March)
[EMAIL PROTECTED] (ben@home)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
