say I want to sell a script and in this script it works with mysql. everything is secure as far as I can tell. so if somebody went through the script can they get all the info from the db like how is setup and try to break into the site it is running on?
how secure is it if they have all the info that the scirpt runs on for them to try to break into the db.
take this forum for example. many people have seen the code, can they try to get in without having a username or password or just by tricking the db to think they are valid?
what are your thoughts on this?
just collecting thoughts and nothing is saying I am doing this right now.often times, the forum scripts upon installation ask you what you want the table name prefix to be, so you will always have different table names for each installation. there are actions such as those that you can take so it can be unique
but, unless the person can actually get connected to the mysql database on your server, there isnt much worryeven after looking at all the scipts you don't think it is a worry?if your script is well code (without register_global for one) and your login/session is secure,
and since you change the mysql Login/password when you install a script, the rest is simply some sql query...
i don't see a security risk!that is what I thought, thanks guysIf it checks for SQL Injections. If it doesnt the rest of the security is useless.
SQL injections incase you do not know if not secured from can give sensitve information about database information in this case it can spit out the database name, table name (including its prefix).yes I have blocked injections on both ends. html and sql.When you install the forum scripts it also tells you to delete the install directories before using the system. That also closes a number of other loopholes too.
how secure is it if they have all the info that the scirpt runs on for them to try to break into the db.
take this forum for example. many people have seen the code, can they try to get in without having a username or password or just by tricking the db to think they are valid?
what are your thoughts on this?
just collecting thoughts and nothing is saying I am doing this right now.often times, the forum scripts upon installation ask you what you want the table name prefix to be, so you will always have different table names for each installation. there are actions such as those that you can take so it can be unique
but, unless the person can actually get connected to the mysql database on your server, there isnt much worryeven after looking at all the scipts you don't think it is a worry?if your script is well code (without register_global for one) and your login/session is secure,
and since you change the mysql Login/password when you install a script, the rest is simply some sql query...
i don't see a security risk!that is what I thought, thanks guysIf it checks for SQL Injections. If it doesnt the rest of the security is useless.
SQL injections incase you do not know if not secured from can give sensitve information about database information in this case it can spit out the database name, table name (including its prefix).yes I have blocked injections on both ends. html and sql.When you install the forum scripts it also tells you to delete the install directories before using the system. That also closes a number of other loopholes too.