> On 13 Aug 2015, at 23:56, Peter Haworth <p...@lcsql.com> wrote: > > Thanks Dave. That's good info. > > My questions are specifically related to mySQL which is able to accept > remote connections by design.
Sorry if I wasn't clear. I was suggesting that it's generally a bad idea to allow remote connections. This would allow brute force attacks. (Guessing user names and passwords) > > I see your point about passing the credentials but, as mentioned to Bill, > doesn't opening the database connection using SSL take care of that? Same > for your point 3. It wasn't so much the passing of credentials, but how to keep the credentials private. I was imagining a case where the same credentials were shared by all instances of your application. How are they stored in the application. Can a user discover them? If so, the user can access the database directly using the command line or a MySQL utility application (e.g. Navicat) and bypass any sanitizing used by your application. Do you trust your users? :-) > > I also see your point about the need to update credentials on each client. > Don't have a follow up on that one :-) > > I do like the idea of only a single connection to the db from the server > side script. But don't you then start getting into multiple thread issues > for performance reasons? I've never really thought about that. I've never experienced such a problem. > > Once again, just trying to understand all the implications before going > down the wrong path. A good idea. It's also let me review why I set things up the way I do. _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
