On Mar 11, 2008, at 10:42 AM, Philip Thompson wrote:
On Mar 11, 2008, at 12:20 AM, Mike wrote:
Wait, what?
You are defining user role ids as MD5 hashes of UUIDs created from
random numbers that change on every request?
Am I missing something or is this completely insane advice?
I'm probably wrong on this, but I think the point is that it doesn't
matter the actual value of the constants. As long as you're using
that constant (which has a unique value on each request)... well,
wait. Maybe I don't understand either. Ha!
I do understand the security aspect though. It's like a password
that changes quite frequently - it would be, for all intensive
purposes, impossible to guess.
Oh, I have an idea! Let's say your users are defined this way in the
database:
user_level: ADMIN, GENERAL_USER, LEVEL_ONE_USER, etc...
Then run your comparison, e.g.:
if (defined ($user['user_level'])) { ... }
Maybe Tedd or Dan need to slap some sense into me, but that's one
way I *think* you could implement it. =/
~Philip
Here's what I understood it to mean :) The numbers that I was using
are unimportant.. It just needs to be consistent throughout the entire
application. Ie if 50,000 = Root 50,000 has to ALWAYS equal root. in
that same fashion if 0 = root 0 always has to be root. Both are just
as valid, and it's just a matter of design.
I could also use a "Level1", "Level2" etc type setup... All of it
works, and it's just semantics and programming styles. I don't believe
that either way is any more secure then any other way... At least of
what I have mentioned here...
If I'm wrong though, I'm open to suggestions! :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@xxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
