Hi All,
I'm writing a application that needs row level security in it so that
only certain users can view/change etc. certain records. I know that
MySQL currently does not have row level security, and when I've asked
this list before I've been given some helpfull suggestions (although
none of them would actually work for me). So I've decided that the only
way to go is to put the security logic into the application I am building.
This works fine for my application, but means that if anyone connects
directly to the server using the MySQL client etc, then they'll be able
to see/update everything - making it a pretty weak security system.
I've had two thoughts about this, but am willing to hear of any other
thoughts people might have.
One that I could do right now is to get my program to add something to
the password of every user (users are created using the program and
passwords can be changed using it too). This way if they try to connect
to the server directly they won't have the extra bit on their passwords
and it won't let them connect. The program could take care of adding
this extra bit each time anything password related was needed so it
shouldn't be a problem in this respect, however if anyone discovered the
extra bit then it would be imposible to change the extra bit without
giving everyone new passwords (which would be a real pain).
A second way would be if there was like an application password in the
security area that could be set and would be needed for connection -
sort of like the ssl extra stuff that's been added recently. The
downside of this is it isn't currently there and I'd need to convince
someone at MySQL that it was worth adding and then wait for it to be
added, the upside is that it would be easier to change if the
application password was discovered.
I've looked a little at the ssl/encryption stuff to see if I could use
that but I don't think it can really help me achieve what I'm trying to
achieve but if someone thinks it can I'd love to hear how.
If anyone has any other ideas, can see problems that I haven't seen in
the above ideas then I'd appreciate knowing. Are there any others
having this problem (or is it just me!)?
Thanks for your thoughts,
cheers,
noel
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
- RE: Application level security Noel Clarkson
- RE: Application level security Andy Eastham
- Re: Application level security Pae Choi