Do mean that a particular user should only be able to view certain records
in the database? Or just that person must log in with a valid user name and
password before they have access to the database, after they login they have
access to the whole thing?

The second case is simple and  can be solved as another  poster described
(do a lookup and save a session variable).  Fir the first case you could
have your user table with the name and password  (perhaps additional
information associated with the user) and then your data table which has a
user id field that contains the ID of the user who is able to view and
perhaps edit that record.  If you wish to allow several people  to edit or
view a record you would need a third table, which contains user ID, record
ID and perhaps a level of permission (one user can edit and view another
user might only have permission to view).

Your PHP code would only select from a join which includes these tables.
For example: 

Your tables:
User    Data   Access
----    -----   ------
id      id     data_id
name    col_1  user_id
passwd  col_2  level

This would return all the records you were entitled to see - you could
further restrict it by adding more WHERE clauses.

SELECT col_1, col_2
FROM User,  Data,  Access
WHERE = Access.user_id
AND = Access.data_id
AND = $name
AND User.passwd = $passwd
AND Access.level >= 1        /* we'll say 1 is read, 2 is read write */
                             /* 0 or no record is no access */

Notice a record that you have no permission to view does not show up.

You would have to save the $name (users name) and $passwd (password) in a
session variable or look them up once and save the  in a session
variable.  You could send the name and password back to the user as hidden
fields (not as good since these are visible to evil people) and  DO NOT do
this with since someone could easily change their hidden id and see
someone else's records.

If you added Access.level to the select list:
  SELECT Access.level, col_1, col_2
You would  know  if  they had read only or read/write permission and if so
could display the information in an editable form.  If you do allow editing
you'll want to include the too (as a hidden field) to make  your
UPDATE statement easier but even there include the
WHERE = Access.user_id
AND = Access.data_id
AND = $name
AND User.passwd = $passwd
AND Access.level = 2
To ensure the security or your data.

Hope this helps,
Good Luck

On 4/23/02 11:14 AM, "[EMAIL PROTECTED]"

> From: "Achilles Maroulis" <[EMAIL PROTECTED]>
> Date: Sat, 8 Dec 2001 10:10:14 +0200
> To: "PHP mailing list" <[EMAIL PROTECTED]>
> Subject: Passwords
> Hi folks.
> I have a quetion for you which maybe a little silly as I'm still new here..
> I want to build a database in which access will have only registered memebers,
> so I need to protect it. The database will have over 100000 records and
> hopefully over 1000 users-visitors. Everyone of them is going to have his own
> password. I suppose I will have to build a table with usernames and encrypted
> passwords but what I don't know is how to protect the pages not to be seen
> without authorization. At first I thought about the .htaccess and .htpasswd
> files but I'm not sure yet...
> Can anyone suggest the best way to protect my database? If it is to
> complicated to be explained in an email please suggest just the functions
> names and I'll try to find the way...
> Thanx
> Achilles

Frank Flynn
Poet, Artist & Mystic

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to