Sorry I am still having some problems with how to create random security keys. Would you mind please give me an example code? A few lines is fine. My codes are as follows.
Regards, Norman // connect to mysql $authdb = mysql_connect('localhost', 'webauth', 'webauth') or die("Cannot connect to database."); // select the appropriate database mysql_select_db('auth') or die("Cannot select db."); // query the database to see if there is a record which matches $query = "select * from auth where usrname='$HTTP_POST_VARS[logname]' and usrpass=md5('$HTTP_POST_VARS[logpass]')"; $result = mysql_query($query) or die("Cannot run query."); $row = mysql_fetch_row($result); if (mysql_num_rows($result) > 0) { if (($row[0]==1) || ($row[0]==2)) { echo "Successful."; die(); } } else { echo "<h1>Go Away!</h1>"; echo "You are not authorized to view this resource."; die(); } ----- Original Message ----- From: "Rick Emery" <[EMAIL PROTECTED]> To: "'Norman Zhang'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, April 08, 2002 11:29 AM Subject: RE: database setup First, I assume that the same value for "userlevel" may be used by multiple users. That is, multiple users can have userlevel equal to 1 or equal to 2 or 3 or whatever. Therefore, you CANNOT use userlevel as PRIMARY KEY. PRIMARY KEY is a UNIQUE identifier. Thus, I recommend that each user be identified by a unique user_id. user_id int unsigned not null primary key, userlevel unsigned tinyint not null, username char(8) not null, userpass char(16) not null, security_key int Next, once the user is authenticated, you can pass value of user_id through sessions, to preserve security. Include with the session values a unique, random key that is generated during authentication. Store this random key in security_key. When a user makes a download/upload request, ensure that the key stored in the database is the same as that of the session. -----Original Message----- From: Norman Zhang [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 12:49 PM To: [EMAIL PROTECTED] Subject: database setup Hi, I am setting up a mysql database, with two tables. One keeps the user authentication info such as user name, password and user level. The other table with contains files for upload and download. Is there a good way to setup the user authentication table so it can check appropriate user rights (user level) then provide the appropriate upload or download page? I came up with a scheme as follows, userlevel unsigned tinyint not null primary key, username char(8) not null, userpass char(16) not null I can store user passwords using MySQL's password encryption. But when I need to access the upload/download table I need to somehow notify the database that what level of access the user has. If I set userlevel=1 (or any number) after succesful authentication in the script, I would compromised the other table. As hackers can change userlevel in the php script without going through the authentication. Can someone please provide me a couple of pointers how I go about setting up my database? TIA. Regards, Norman --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php