*can* does not equate with *should*. embed of username:password in any URL is a security risk. And even some browsers and apps have begun to block this practice (they won't work).
If you have a closed system, perhaps, ok embed away.
OP doesn't specify what's getting the results, but perhaps it's time to work on authentication and then query rather than embed?
Thanks user and Beverley
I am have tried user's approach and it works fine.
In response to beverley, I am using this to download data from the database to an app. The system is "closed" in as much as the url is embebded in the app's script.
I don't want it to go through a manual authentication process (although the username and password may be entered as variables by the user of the app) as it is part of script that updates a table of data. Its a one way process....pulls data from FMS to populate table in mobile app.
Anyway long response...but short answer is I am happy with the help you have both given.