MySQL doesn't have row level permissions, but this is what VIEWS are for. If you only want access to specific rows, create a view with that subset of data. You can create a function (privilege bound) to create the view to make this more dynamic.
If you want direct access to the database, then you will need multiple MySQL users. I don't quite get the purpose of what you're trying to do through a PHP script; I see little reason why you can't use some client level security to facilitate data access, especially if you're going to implement dynamic creation of users in the PHP script itself (which would be rather weak security imho). -- Adam Alkins || http://www.rasadam.com On 16 June 2010 14:48, Don Cohen <don-mysq...@isis.cs3-inc.com> wrote: > Adam Alkins writes: > > Sounds like you just want to GRANT access to specific tables (and with > > limited commands), which is exactly what MySQL's privilege system does. > > How about this part? > > > Finally, suppose I want to limit access to the table to the rows > > > where col1=value1. If I just add that to <wherespec> what can an > > > attacker do to read other rows? > > The http request I have in mind will be something like > https://server.foo.com?user=john&password=wxyz&;... > and the resulting query something like > select ... from table where user=john and ... > (I will first have verified the password.) > > It seems I'd have to create a separate mysql user for each user in > my table, and perhaps also a separate separate table (or view?) for > that user to be allowed to read. > I suppose the php process could create the table/view, create the > user, then connect as the user to execute the query, then remove the > user. > > Even if this turns out to be the best solution, I'm interested in > the answer to the original question. > >
