I would like to create a form to submit trouble tickets to a SQL Server 2008 database. I've used odbc_connect in PHP before to do simple INSERT INTO statements. This time however I want to validate data before I insert. Which brings me to my security concern.
I embed a user/pass in the odbc_connect. This user has insert only rights on the SQL table. So worst case if it is compromised it would only be allowed to insert data. Now I need to also give it read ability to some semi-sensitive tables.
So question one. Can the PHP source be read and the user/pass compromise? My research says no as long as the server is properly secured and no public domain has rights.
If that is true then is there any worry about embedding the password in the PHP code?