MySQL security issue

[BuzzLY]

We are in the beginning stages of developing an internal application for our company using PHP / MySQL. One of the questions we are trying to determine is whether or not to use persistent connections. When discussing this with my colleague, he informed me that we would be using a single username/password for all connections to MySQL.

I have been a developer for about 8 years, but am fairly new to the PHP/ MySQL universe. This seems to be a strange security measure, but he tells me that we will do that so that we can take full advantage of persistent database connections. My question is two-fold:

1. Will this really give us a big advantage by using persistent connections (it's an internal app with limited users -- say no more than 500 to start)?

2. Are there any inherent problems using a single username/password for MySQL? We would build some sort of user authentication into the app, but all DB connections would be made with this one username.

If you can point me to any articles that discuss these issues, or offer any personal insight, it would be much appreciated.

Thanks in advance!

[Jay]

You should be able to find the answers you're looking for in the MySQL manual which is very comprehensive and also looks at questions like yours.

You should see an improvement in using a persistent connection, because it's not breaking it all the time and wasting time stopping and starting it several times per user.

If all users have restricted (and identical) access, there's no problem with using the same un and pw. If they have different priviledges, give them different accounts!

[BuzzLY]

I have looked through a few manuals, and have read about persistent connections. There are a few good articles online about it as well. I will look into it some more, so I understand it better, thanks.

As for the accounts -- we want each user to have seperate accounts. Each user is a sales rep that has specific information that only they should have access to (for example, appointments or notes about clients). What my boss proposes is that the connection to MySQL be an "all access" username and password, and that we would build the user security ourselves in front of it. I just don't know how secure it will be, and whether this is SOP when building PHP apps.

[DoppyNL]

There are no problems using only one username and password for mysql itself. That password is located in the php-file itself and will not be available to web-users, so that is not a problem.

storing username's and password inside you're app (mysql tables) is used a lot of the time.
This forum does that, so does my site-software.
Is no problem, as long as you make sure you check if the user may do what he wants to do on EVERY page.
What I mean is that you need to check if a user has acces to a form to add data, but also check if the acces is granted in the script where the data is actually added to the database.

Greetz Daan