Re: Best authentication method for user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alain Roger wrote:

ok, but how to make a non-logged user executes some stored procedures or
Queries ?
MySQL will need some login and password for that.

so, that's why i've asked such question...how and where to store this
non-logged user's info (login, password) to not make physical user type them
? (this must be secured enough)

thanks a lot,
Alain

On 4/3/06, Ligaya Turmelle <lig@xxxxxxxxxx> wrote:




For that i was thinking to use session and register his login and


password


as session variable.



What do you think about that ?



I personally would only hold a password for as long as it is needed to
log them in.  Then I'd set a session var that they have logged in and
another session var for their level of access.

But that's me.


--

life is a game... so have fun.
Are you talking about the level of mysql access or the level of access to a site? They are 2 completely separate things.
A site can use 1 or multiple mysql users depending upon the level of privileges you want to give them. You could always link the level of site access to the mysql user in your authentification area... 

<off the top of my head>
(guest = 1, user = 5, super = 9)
  switch ($_SESSION['level']
  {
    case 1:
      $db_user = 'site_guest';
      break;
    case 5:
      $db_user = 'site_user';
      break;
    case 9:
      $db_user = 'site_super';
      break;
    default:
      $db_user = 'site_guest';
  }
In a config file you would have the various usernames and their matching passwords... and yes I would require it on all pages.
And on the page itself display various parts (or not) based on their $_SESSION['level'] of access... 

if($_SESSION['level']>1
{
  // display something a user or super would only see
}
In the DB you have a site_user who has GRANTS on SELECT, site_user who has GRANTS on SELECT, UPDATE, INSERT, DELETE, EXECUTE for specific tables (maybe content tables) and stored procedures on them, and site_super that has the full DB access for the tables associated with the site. 

</off the top of my head>

--

life is a game... so have fun.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux