0

hi
I set an authentication in php for admin and it worked fine but now I need to use the same code for users who have limited access to the database that the admin use.
user1 only update one table
user2 only view tables
user3 insert to one table only
Do i need to use the mysql priviledge to limit the access of the users?if so how?
or I can use php code that have the same effect as the mysql privileges:idea:.
my authentication page is:

<?php
session_start("username");
// Define database constants
define('AUTH_HOST', 'localhost');
define('AUTH_USER', 'root');
define('AUTH_PASS', '123456');
define('AUTH_DB','ownerdb');
function attempt_auth()
{
// Send authentication headers
header('WWW-Authenticate: Basic realm="protected in php"');
header('HTTP/1.0 401 Unauthorized');
}
function check_login($username, $password)
{
$ret = false;
if ($username && $password)
{
// Check if login matches database values
$conn = mysql_connect(AUTH_HOST, AUTH_USER,AUTH_PASS);
if (mysql_select_db(AUTH_DB, $conn))
{
// Search for matches
$result =
mysql_query("SELECT COUNT(username) AS ucount
FROM password
WHERE username='" . addslashes($username) . "'
AND passwd_md5= MD5('" .addslashes($password) . "')
AND passwd_sha1=SHA1('". addslashes($password) . "')",
$conn);
// Check if a match was found
if (($row = mysql_fetch_array($result)) && $row['ucount'])
{
$ret = true;
$_SESSION["username"] = $username;
}
}
// Close connection
mysql_close($conn);
}
return $ret;
}
// Check if using valid credentials
if (!(isset($_SESSION["username"]) ||
(isset($_SERVER["PHP_AUTH_USER"]) &&
check_login($_SERVER["PHP_AUTH_USER"],
$_SERVER["PHP_AUTH_PW"]))))
{
// Show login prompt
attempt_auth();
echo "Authorization Required";
exit;
}
?>

THANKS IN ADVANCE

3
Contributors
5
Replies
6
Views
6 Years
Discussion Span
Last Post by aaraf
0

Usually you can use a session to denote the user level (e.g. 1,2,3). You can use this to determine which pages can be viewed etc. You can use different mysql accounts based on the session user level. I suggest you NEVER use your superadmin account for connection in a site. Drill down to the minimum privileges for the account.

You can also have a second login screen to access admin pages. May be overkill though. phpBB operate a similar method.

0

Usually you can use a session to denote the user level (e.g. 1,2,3). You can use this to determine which pages can be viewed etc. You can use different mysql accounts based on the session user level. I suggest you NEVER use your superadmin account for connection in a site. Drill down to the minimum privileges for the account.

You can also have a second login screen to access admin pages. May be overkill though. phpBB operate a similar method.

thanks to your reply ardav
well From the first I wanted to use session to denote the user level but I don't know how to limit the access using php Not mysql account

Edited by aaraf: n/a

0

OK, your user table:

user_id | login | pwhash | firstname | .... | level

When user logs in, their level is applied. Set all new users to 0 until they activate the account (usu. email link) - which then sets it to 1. You administer other levels through your admin pages (or directly through phpmyadmin or other GUI).

$_SESSION['level'] = $row['level'];

Edited by diafol: n/a

0

agree with @ardav!

Just a sentence to make it clear, you want something like

user1 only update one table
user2 only view tables
user3 insert to one table only

So when adding a new user set their level like set user1's 1, user2' 2 and user3' 3. Now when a user will try to insert something into the database just make a database query with his/her username and check if he/she has level 3 privilege. If he don't don't let him run the insert query.

Cheers :)

Edited by TechySafi: n/a

0

thank you all so much you were really helpful:*

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.