Only someone with admin level >= 2 will be able to do anything on the admin page. The idea is that this person setup the database and knows how to go into MySQL and look up the passwords anyway and could really bypass any of our security. Any other users could try to run database_setup, but after it has been run once, the script won't do anything. We will know it was run once if the teamRobot table already has passwords. Brandon _____ From: Steven Buss [mailto:steven.buss@xxxxxxxxx] Sent: Thursday, February 23, 2006 8:13 AM To: stamp@xxxxxxxxxxxxx Subject: [stamp] Re: Random user running "database_setup.php" what's to stop anyone from looking up any team's password? how is that going to be managed? On 2/23/06, Brandon Ripley < <mailto:Brandon.Ripley@xxxxxxxxxx> Brandon.Ripley@xxxxxxxxxx> wrote: Once we add the function "lookup team password" to the admin page, we should change database_setup.php so it can only be run once to display passwords i.e. if passwords exists, don't reprint them. -----Original Message----- From: Jeremy Johnson [mailto: mias88@xxxxxxxxx <mailto:mias88@xxxxxxxxx> ] Sent: Thursday, February 23, 2006 7:29 AM To: stamp@xxxxxxxxxxxxx <mailto:stamp@xxxxxxxxxxxxx> Subject: [stamp] Re: Random user running "database_setup.php" yes, they will. For testing purposes I did not add a restriction on when the team passwords, lthoguh that should not be so hard to implement. I will work on that. -Jeremy On 2/23/06, Erik Thulin <ethulin@xxxxxxxxx <mailto:ethulin@xxxxxxxxx> > wrote: > What if a random user runs "database_setup.php", will they see the > team passwords? > > - Erik > -- Steven Buss steven.buss@xxxxxxxxx <mailto:steven.buss@xxxxxxxxx> PHP/MySQL programmer