If I understand your original question properly, you want to have an address field that a user can see sometimes and not others? Why not add a single column to your user table, something like see_address and make it hold the results of a yes or no checkbox that only you can see on a user's profile page? When a user needs to update the contents of the address column, you go in and check that check box to allow access. If you group your user permissions, you might consider making that check box available to groups or classes of users. When you're writing your select, update and insert queries, pull that see_address field for that user. If it's set to 'y', then write a bit of code to include that address column you concerned about in your queries on the fly. You'd use the same sort of logic when rendering the HTML in the browser: if 'y' then show field else don't show it. Of course, if you're the administrator, you'd want to see that field all the time so you'd just pop another check in there to see if the current user is an administrator or not. This solution assumes that you're already using some sort of permission system. It also puts a little more of a burden on you as the adminstrator to turn that check box on and off. But it makes sure you have control over who can see that check box and who can't and it's pretty simple to implement. I'm sure there are other options out there. Just thought this might give you something else to consider. Rich -----Original Message----- From: Frank M Flynn [mailto:frank@xxxxxxxxxx] Sent: Tuesday, January 11, 2005 2:00 PM To: php-db@xxxxxxxxxxxxx Cc: listschris@xxxxxxxxxxxxxxx; jusa_98@xxxxxxxxx Subject: Re: Complicated Question (maybe)? Turning off 'Update' privileges in the DB will work but it's ugly. REVOKE UPDATE ON <your table>.<column - or - * for all> FROM <the web user> http://dev.mysql.com/doc/mysql/en/GRANT.html for documentation Now when someone tries to update this they will get an error and unless you have different logins fro every user UPDATE will not work for anyone over the web. I have two other ideas, although each is more work: -Make a second table like the first address table but add a timestamp column, do not use auto increment (you will set the ID to the ID in the original table). In your PHP when you do an update you will first INSERT the original record and the current time into the new table then allow the UPDATE to the original table. This will not break your app but will preserve the data. -Add a column 'vaild' to the original table and when someone tries to update the table find the original record and set valid to 0; then insert a new record. This may not work if you are joining off of the ID (all related records will still point to the old record). You could also remove of disable all the UPDATE code from your PHP pages, no? Good luck, Frank On Jan 11, 2005, at 9:39 AM, php-db-digest-help@xxxxxxxxxxxxx wrote: > From: Chris > As long as I'm understanding you correctly, this is able to be done > with the mysql privileges. > > Just create a user that isn't allowed to update that column, then use > that user in your PHP code. > > The wording of your message makes it look like you're using a webform > to specify a columnname-value combination to update int he database. > This is inherently insecure. > > Chris > > JeRRy wrote: > >> Hi, >> I want to BLOCK any possible updates from a webform or >> php page to the address field. Or even halt any sort >> of update/modification from mysql to that column but >> have it possible to unblock by admin. >> >> Is this possible? Sure I could refuse an mysql update >> to do this but I want to lock out everyone to ensure >> no sneaky activity or changes are made. >> >> Is it possible or am I talking too much? >> >> J >> >> Find local movie times and trailers on Yahoo! Movies. >> http://au.movies.yahoo.com >> -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
