Achilles,
Do mean that a particular user should only be able to view certain records
in the database? Or just that person must log in with a valid user name and
password before they have access to the database, after they login they have
access to the whole thing?
The second case is simple and can be solved as another poster described
(do a lookup and save a session variable). Fir the first case you could
have your user table with the name and password (perhaps additional
information associated with the user) and then your data table which has a
user id field that contains the ID of the user who is able to view and
perhaps edit that record. If you wish to allow several people to edit or
view a record you would need a third table, which contains user ID, record
ID and perhaps a level of permission (one user can edit and view another
user might only have permission to view).
Your PHP code would only select from a join which includes these tables.
For example:
Your tables:
User Data Access
---- ----- ------
id id data_id
name col_1 user_id
passwd col_2 level
This would return all the records you were entitled to see - you could
further restrict it by adding more WHERE clauses.
SELECT col_1, col_2
FROM User, Data, Access
WHERE User.id = Access.user_id
AND Data.id = Access.data_id
AND User.name = $name
AND User.passwd = $passwd
AND Access.level >= 1 /* we'll say 1 is read, 2 is read write */
/* 0 or no record is no access */
Notice a record that you have no permission to view does not show up.
You would have to save the $name (users name) and $passwd (password) in a
session variable or look them up once and save the user.id in a session
variable. You could send the name and password back to the user as hidden
fields (not as good since these are visible to evil people) and DO NOT do
this with user.id since someone could easily change their hidden id and see
someone else's records.
If you added Access.level to the select list:
SELECT Access.level, col_1, col_2
You would know if they had read only or read/write permission and if so
could display the information in an editable form. If you do allow editing
you'll want to include the Data.id too (as a hidden field) to make your
UPDATE statement easier but even there include the
WHERE User.id = Access.user_id
AND Data.id = Access.data_id
AND User.name = $name
AND User.passwd = $passwd
AND Access.level = 2
To ensure the security or your data.
Hope this helps,
Good Luck
On 4/23/02 11:14 AM, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> wrote:
>
> From: "Achilles Maroulis" <[EMAIL PROTECTED]>
> Date: Sat, 8 Dec 2001 10:10:14 +0200
> To: "PHP mailing list" <[EMAIL PROTECTED]>
> Subject: Passwords
>
> Hi folks.
>
> I have a quetion for you which maybe a little silly as I'm still new here..
> I want to build a database in which access will have only registered memebers,
> so I need to protect it. The database will have over 100000 records and
> hopefully over 1000 users-visitors. Everyone of them is going to have his own
> password. I suppose I will have to build a table with usernames and encrypted
> passwords but what I don't know is how to protect the pages not to be seen
> without authorization. At first I thought about the .htaccess and .htpasswd
> files but I'm not sure yet...
> Can anyone suggest the best way to protect my database? If it is to
> complicated to be explained in an email please suggest just the functions
> names and I'll try to find the way...
>
> Thanx
> Achilles
--
Frank Flynn
Poet, Artist & Mystic
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
