Achilles, Do mean that a particular user should only be able to view certain records in the database? Or just that person must log in with a valid user name and password before they have access to the database, after they login they have access to the whole thing?
The second case is simple and can be solved as another poster described (do a lookup and save a session variable). Fir the first case you could have your user table with the name and password (perhaps additional information associated with the user) and then your data table which has a user id field that contains the ID of the user who is able to view and perhaps edit that record. If you wish to allow several people to edit or view a record you would need a third table, which contains user ID, record ID and perhaps a level of permission (one user can edit and view another user might only have permission to view). Your PHP code would only select from a join which includes these tables. For example: Your tables: User Data Access ---- ----- ------ id id data_id name col_1 user_id passwd col_2 level This would return all the records you were entitled to see - you could further restrict it by adding more WHERE clauses. SELECT col_1, col_2 FROM User, Data, Access WHERE User.id = Access.user_id AND Data.id = Access.data_id AND User.name = $name AND User.passwd = $passwd AND Access.level >= 1 /* we'll say 1 is read, 2 is read write */ /* 0 or no record is no access */ Notice a record that you have no permission to view does not show up. You would have to save the $name (users name) and $passwd (password) in a session variable or look them up once and save the user.id in a session variable. You could send the name and password back to the user as hidden fields (not as good since these are visible to evil people) and DO NOT do this with user.id since someone could easily change their hidden id and see someone else's records. If you added Access.level to the select list: SELECT Access.level, col_1, col_2 You would know if they had read only or read/write permission and if so could display the information in an editable form. If you do allow editing you'll want to include the Data.id too (as a hidden field) to make your UPDATE statement easier but even there include the WHERE User.id = Access.user_id AND Data.id = Access.data_id AND User.name = $name AND User.passwd = $passwd AND Access.level = 2 To ensure the security or your data. Hope this helps, Good Luck On 4/23/02 11:14 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > > From: "Achilles Maroulis" <[EMAIL PROTECTED]> > Date: Sat, 8 Dec 2001 10:10:14 +0200 > To: "PHP mailing list" <[EMAIL PROTECTED]> > Subject: Passwords > > Hi folks. > > I have a quetion for you which maybe a little silly as I'm still new here.. > I want to build a database in which access will have only registered memebers, > so I need to protect it. The database will have over 100000 records and > hopefully over 1000 users-visitors. Everyone of them is going to have his own > password. I suppose I will have to build a table with usernames and encrypted > passwords but what I don't know is how to protect the pages not to be seen > without authorization. At first I thought about the .htaccess and .htpasswd > files but I'm not sure yet... > Can anyone suggest the best way to protect my database? If it is to > complicated to be explained in an email please suggest just the functions > names and I'll try to find the way... > > Thanx > Achilles -- Frank Flynn Poet, Artist & Mystic -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php