Security problem in Access database

[Jack]

Dear all
I'm planning to make a webpage which will let the user to enter the leave
request record into one of the database's table. Actually the user can add,
update the record with this table.
Here is the question i want to ask:

1. What should i do if i want to limit the user which can only edit the
record belongs to him/her. i mean user can only update to his own record but
not the others!!

2. Is there anyway that the PHP can pass the Windows Domain Username and
password to Mysql's User table?

3.I had made a login page for the user, but when the user input the password
which i assigned to her, it prompts incorrect password then later on i found
out that the user table's password field had encryted . So what can i do if
i want to make a login page to user which the password will be able to match
the password in Mysql.User table.

Pls help me and i'm getting really stuck!!

Cheers
Jack


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Security problem in Access database

[Carl Troein]

Jack writes:

 1. What should i do if i want to limit the user which can only edit the
 record belongs to him/her. i mean user can only update to his own record but
 not the others!!

This sort of security is best handled at the application level. If
you don't want your users to access the database directly, only
relying on the database's user system is usually not a good and/or
feasible solution.

 2. Is there anyway that the PHP can pass the Windows Domain Username and
 password to Mysql's User table?

Well, if you can get them from somewhere I'm sure it wouldn't be
too hard to add users to MySQL. The question is just how you would
get them. Even Windows doesn't store its passwords in plaintext, so
you'd have to either a) obtain the passwords from elsewhere, in which
case you could just as well get the usernames from elsewhere too, or
b) crack the users' passswords, and if you can do that that easily
you could just as well not use passwords at all.

I guess the real solution would be to modify MySQL to use a Windows
box to authenticate its users. I'm not sure what's been going on
with Kerberos and stuff like that lately, but it ought to be possible
to add this feature to MySQL. Unless you can pay someone to do it,
I guess you'd have to do it yourself, though.

 3.I had made a login page for the user, but when the user input the password
 which i assigned to her, it prompts incorrect password then later on i found
 out that the user table's password field had encryted . So what can i do if
 i want to make a login page to user which the password will be able to match
 the password in Mysql.User table.

See 1.

//C - hungry

-- 
 Carl Troein - Círdan / Istari-PixelMagic - UIN 16353280
 [EMAIL PROTECTED] | http://pixelmagic.dyndns.org/~cirdan/
 Amiga user since '89, and damned proud of it too.


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php