Hi Henry On set up of the side of the software that sits on the customers server a table is created for users. Adminstration screens are provided for adding/deleting users and a user can only gain access by logging in and they can only log in if a record exists in this table. The whole thing (on this side) is secured by cookies. After logging in the software attempts to connect to a MySQL database using the host, username, pass & db name specified in a mysqlvars.php file - these vars are never passed across the network. No usernames/passwords either for MySQL or access to the software are stored in the cookie - the cookie is authenticated using a checksum value.
The generator side is secured by sessions but again no MySQL vars are sent across nor any access usernames/passwords for the customer software. What is sent between the servers is: 1. the customers email address and password for the generator (encoded and different from their MySQL/customer software username/passwords) and. 2. table structure information which has been retrieved. This information could of course be intercepted but could be of no use to a hacker without a valid username and password for the MySQL database. If you disagree please tell me. It's this aspect of the software (security) that causes most concern as with any application enabling online access to databases. Debbie ----- Original Message ----- From: "Henry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 25, 2002 11:14 AM Subject: Re: [PHP] Re: Automatic Form Generation with PHP > Hi Debbie, > > That's fair enough. How are you ensure that only valid servers request > information from the field enquiry part? > > Otherwise people might be able to use this part to gain access to the > database structure if not the actual data. > > Henry. > > "Debbie_dyer" <[EMAIL PROTECTED]> wrote in message > 00f501c26476$49fcd4a0$19153c3e@homepc">news:00f501c26476$49fcd4a0$19153c3e@homepc... > > Hi Henry > > > > Well the software generates the code to process the forms as well (eg for > an > > insert form the code to check required fields are not empty, perform any > > data validation and insert the record into the db) as well as the forms > > themselves and this code is in PHP. You can choose to generate a sticky > form > > where you would get 1 PHP page (containing a mixture of PHP and HTML) or > > non-sticky where you would get separate HTML & PHP pages for the > > forms/processing. Because all this generated processing code is in PHP > > customers who don't have PHP either wouldn't be interested in the software > > or if they were interested in the software they would need to install it - > > both to use the software and also to be able to use the processing code > that > > it generated. > > > > Debbie > > > > ----- Original Message ----- > > From: "Henry" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, September 25, 2002 10:05 AM > > Subject: [PHP] Re: Automatic Form Generation with PHP > > > > > > > Hi Debbie, > > > > > > What are you going to do about customers who don't have PHP? To run the > > > field definition extractor part of the system. > > > > > > Henry > > > > > > > > > > > > > > > "Debbie_dyer" <[EMAIL PROTECTED]> wrote in message > > > 00a001c26468$80a50530$19153c3e@homepc">news:00a001c26468$80a50530$19153c3e@homepc... > > > Hi > > > > > > We are shortly to release the next version of Form Generator Pro > > (automatic > > > generation of HTML form/PHP processing code) and are looking for some > > > comments on the way in which we intend to make the software available. > > > > > > Due to the fact that we cannot distribute this PHP application without > > > comprising copyright (the Zend Encoder is not an affordable option for > > us - > > > we are a small start-up business), the current version of Form Generator > > Pro > > > is only available for use online at the C U Online site which is fine > > > because 1. it only generates mail forms and 2. it's free. However this > > won't > > > work for version 2 because version 2 automatically generates forms for > > MySQL > > > databases by querying the database for table information (field lengths, > > > types etc). Opening up connections from our server to other servers to > get > > > database info is not an option - for security reasons (and also many > MySQL > > > servers are set up to only accept local connections anyway for this > > reason). > > > > > > To resolve this problem, the software has been split into 2 parts. The > > part > > > that retrieves the database information sits on the customers server > > > (secured). Field definitions are then extracted and sent to the > generator > > > which remains on our site. I will stress here that no actual database > data > > > is sent between the 2 servers, nor any MySQL server usernames or > > passwords - > > > just the field lengths, types etc of the selected table. Access to the > > > generator will then be sold as opposed to selling the actual software > > > (although mail form generation will remain free). This is not an ideal > > > solution but it seems to be the only way to make the software available > > and > > > at the same time protect copyright. > > > > > > I would be grateful for any thoughts from other businesses/developers on > > > this solution. > > > > > > Regards > > > Debbie Dyer > > > Software Engineer for C U Online > > > > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
