Sorry I am still having some problems with how to create random security
keys. Would you mind please give me an example code? A few lines is fine. My
codes are as follows.
Regards,
Norman
// connect to mysql
$authdb = mysql_connect('localhost', 'webauth', 'webauth')
or die("Cannot connect to database.");
// select the appropriate database
mysql_select_db('auth')
or die("Cannot select db.");
// query the database to see if there is a record which matches
$query = "select * from auth where
usrname='$HTTP_POST_VARS[logname]' and
usrpass=md5('$HTTP_POST_VARS[logpass]')";
$result = mysql_query($query)
or die("Cannot run query.");
$row = mysql_fetch_row($result);
if (mysql_num_rows($result) > 0)
{
if (($row[0]==1) || ($row[0]==2))
{
echo "Successful.";
die();
}
}
else
{
echo "<h1>Go Away!</h1>";
echo "You are not authorized to view this resource.";
die();
}
----- Original Message -----
From: "Rick Emery" <[EMAIL PROTECTED]>
To: "'Norman Zhang'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, April 08, 2002 11:29 AM
Subject: RE: database setup
First, I assume that the same value for "userlevel" may be used by multiple
users. That is, multiple users can have userlevel equal to 1 or equal to 2
or 3 or whatever. Therefore, you CANNOT use userlevel as PRIMARY KEY.
PRIMARY KEY is a UNIQUE identifier. Thus, I recommend that each user be
identified by a unique user_id.
user_id int unsigned not null primary key,
userlevel unsigned tinyint not null,
username char(8) not null,
userpass char(16) not null,
security_key int
Next, once the user is authenticated, you can pass value of user_id through
sessions, to preserve security. Include with the session values a unique,
random key that is generated during authentication. Store this random key
in security_key. When a user makes a download/upload request, ensure that
the key stored in the database is the same as that of the session.
-----Original Message-----
From: Norman Zhang [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 08, 2002 12:49 PM
To: [EMAIL PROTECTED]
Subject: database setup
Hi,
I am setting up a mysql database, with two tables. One keeps the user
authentication info such as user name, password and user level. The other
table with contains files for upload and download. Is there a good way to
setup the user authentication table so it can check appropriate user rights
(user level) then provide the appropriate upload or download page?
I came up with a scheme as follows,
userlevel unsigned tinyint not null primary key,
username char(8) not null,
userpass char(16) not null
I can store user passwords using MySQL's password encryption. But when I
need to access the upload/download table I need to somehow notify the
database that what level of access the user has. If I set userlevel=1 (or
any number) after succesful authentication in the script, I would
compromised the other table. As hackers can change userlevel in the php
script without going through the authentication. Can someone please provide
me a couple of pointers how I go about setting up my database? TIA.
Regards,
Norman
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
