SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Enthusiast Griffinpp's Avatar
    Join Date
    Aug 2001
    Location
    Gainesville, FL
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Grant/Revoke syntax (mysql)

    I apologize if this is a dumb question, I'm a newbie when it comes to mySQL. Is there a way to specify the row you want to grant or revoke a privilege on? i.e. something like:

    ->GRANT DELETE ON sessions.users WHERE id=7
    ->TO webuser;

    the idea here is to allow someone to edit their account without giving them access to anyone else's information. Can this be done in this way, or is there a better way to do this?
    -Paul Griffin

  2. #2
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm.. you may need to explain your situation better. How would webuser be modifying their information. You weren't going to give each user permission to log into the mysql console and start modifying data in the table, right? grant is for giving mysql users permissions to tables. If you are talking about a web based form where users can modify information stored in a table, then you should not need to use grant. Grant would be used when setting up a new user in mysql, the user that your script would use to connect to the database. So could you explain a little more about what you are trying to accomplish.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  3. #3
    SitePoint Enthusiast Griffinpp's Avatar
    Join Date
    Aug 2001
    Location
    Gainesville, FL
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK, I'll try to explain this a little better.

    I'm playing with the user registration system that Kevin Yank described in one of his articles (Managing sessions with PHP and mySQL). Being the ambitions person that I am, I wanted to create a page where users could edit their settings, change their password, unsubscribe from the site, etc.

    The database I have layed out is virtually identical to the one Kevin made, and each record is identified by a unique autoincrementing integer. So here's the thing. I want to create a page that takes an $id variable and pulls the data matching that id from the database. That's fairly easy, even for a relatively inexperienced person such as myself. I was trying to think of a way to make the page (and everyone's account information) more secure by making sure that a user only has access to the row that contains their information. Connection to the database is done through a mySQL account called "webuser" that is restricted to the table containing user info.

    Thinking about it a little more, my original idea (alter the account restrictions on the fly) of how to restrict people to their own record is never going to work (Amazing how something can seem so ), since there would theoretically be several people using the mysql account at the same time. So, I guess my question has changed to this:

    How can I make sure via PHP or mySQL that a person accessing this page can only edit their own data. I already know better than to put the id variable in the url, should I add another session variable with their id in it? Am I worrying over nothing?

    Thanks,
    -Paul Griffin

  4. #4
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wouldn't say you were worrying about nothing but I usually start a session variable called $SESSION which is an array holding all session data. This way its pretty hard to recreate an array into a get string to hack the system. So my point being, I assume your users must login with a username and password. After authenitcating them with your username/password check simply store their id from the users table as another element of the $SESSION array, now when they click on "change my details" you can query the database based o nthe id stored in the session. I think that should be secure enough.
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  5. #5
    SitePoint Enthusiast Griffinpp's Avatar
    Join Date
    Aug 2001
    Location
    Gainesville, FL
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah, even better! Thanks for you help!
    -Paul Griffin

  6. #6
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Freddy, if you don't mind my jumping in here, but what would the syntax for setting the $SESSION variable look like and how would you retrieve it. I'm sure this is trivial, but what the heck..

    Thanks..

  7. #7
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    session_start();
    session_register("SESSION");
    $SESSION['username'] = 'freddy';
    $SESSION['uid'] = 25

    Next Page
    PHP Code:
    session_start();
    print 
    $SESSION['username']; 

    Is this what you are asking?
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  8. #8
    SitePoint Enthusiast
    Join Date
    Jan 2001
    Posts
    29
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thanks freddy.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •