On Mar 11, 2008, at 12:20 AM, Mike wrote:
Wait, what?
You are defining user role ids as MD5 hashes of UUIDs created from
random numbers that change on every request?
Am I missing something or is this completely insane advice?
I'm probably wrong on this, but I think the point is that it doesn't
matter the actual value of the constants. As long as you're using that
constant (which has a unique value on each request)... well, wait.
Maybe I don't understand either. Ha!
I do understand the security aspect though. It's like a password that
changes quite frequently - it would be, for all intensive purposes,
impossible to guess.
Oh, I have an idea! Let's say your users are defined this way in the
database:
user_level: ADMIN, GENERAL_USER, LEVEL_ONE_USER, etc...
Then run your comparison, e.g.:
if (defined ($user['user_level'])) { ... }
Maybe Tedd or Dan need to slap some sense into me, but that's one way
I *think* you could implement it. =/
~Philip
On Mar 10, 2008, at 1:07 PM, tedd wrote:
At 3:14 PM -0400 3/10/08, Daniel Brown wrote:
On Mon, Mar 10, 2008 at 3:08 PM, Jason Pruim <japruim@xxxxxxxxxx>
wrote:
What I was thinking about doing was a combination of the company
name
(Which I set right now) and then a access level such as "50" for
the
"Owner" of the program, "40" for the "Managers" and "30" for the
"user" of the program. also leaving me room to add other levels if
required..
I generally do the same basic thing for permission levels, but a
reverse of what you're attempting to do.
The superuser (AKA root, administrator, God, whatever) has GID 0,
just like on a *NIX system. This is because it's the highest level
you can reach, and 0 is the lowest real number you can use. Thus,
you
can add a virtually-infinite number of lesser users, as opposed to
being limited to 50, as in your case.
Yeah, but then if you try to add a super-superuser you have to go
negative. :-)
Why not just define the users with define CONSTANT statement and
use that? Then the different types of users can be anything you
want and you can change the value easily if there's a problem.
Really, all the value really has to be is unique -- you could use
unique() for that, such as:
define("ADMIN", md5(uniqid(rand(), true)););
define("GENERAL_USER", md5(uniqid(rand(), true)););
define("LEVEL_ONE__USER", md5(uniqid(rand(), true)););
define("LEVEL_TWO__USER", md5(uniqid(rand(), true)););
define("WHATEVER__USER", md5(uniqid(rand(), true)););
and so on. That would work and you'll never have to be concerned
about it nor worry about someone guessing it, if that becomes a
problem.
Am I right?
Cheers,
tedd
PS: Oh, I just received the following email and thought I would
pass it on:
HELLO,
MY NAME IS AGNES IN SEARCH OF A MAN WHO UNDERSTANDS THE MEANING OF
LOVE AS TRUST AND FAITH IN EACH OTHER RATHER THAN ONE WHO SEES LOVE
AS THE ONLY WAY OF FUN BUT A MATURED MAN WITH NICE VISION OF WHAT
THE WORLD IS ALL ABOUT SO PLEASE REPLY ME WITH THIS BOX IF YOU ARE
INTERESTED IN ME.
Anyone want a woman who yells all the time?
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
"Personally, most of my web applications do not have to factor 13.7
billion years of space drift in to the calculations, so PHP's rand
function has been great for me..." ~S. Johnson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
