Re: [PHP-DB] Question about access rights in php/mysql
On Aug 26, 2008, at 8:32 AM, Dan Shirah wrote: Hi Everyone, I am attempting to wrap my head around an issue and wanted to see if I was thinking right. I am attempting to setup a pURL site, one where they go to something like: example.com/purl.php?purl=jason1234 and the site says "Welcome Jason". I have that part of it working, and it's pulling the info from the database just fine, what I'm wondering about is locking it down a little bit more so that they can't just edit the info in the main page, but they have to specifically hit a button to edit the info. Is it better to have 2 connections to the database with 2 separate logins? One for the initial load which just has select privileges and a second for when they hit edit which then gives them update privileges? Or, should i just do 1 login with select, and update privileges? Any ideas or suggestions? Thanks! Jason, I would assume you have some kind of login page, correct? Or can anyone type in the direct URL and access someone else's page? If they have already logged in, I would use some simple javascript to enable/disable the editing of form objects. By setting all of the form objects to "disabled" they will appear grayed out but the text is still legible. Then when they click on your "Edit" button just have a Javascript function set them all to enabled. You could do something similar to show/hide div's. Or, you could bypass all the javascript and just add an "edit" flag to your page? So once they click on the Edit button/link it would update a variable and you could do something like: if ($edit =="Y") { } Add in the option to save only if Edit has been selected? As for your database logins, I don't see a problem with doing it either way. I personally prefer to use a single login, but doing a include() for a second login is no big deal either. Hi Dan, Thanks for the info! the page will not actually require a login, it is a new direct mail technique where they get a piece of mail with the pURL on it, and then go there to "follow up" on the web. I think though that I will go with the 1 login, with a simple variable like to described. Thanks Dan! -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED]
Re: [PHP-DB] Question about access rights in php/mysql
> > Hi Everyone, > > I am attempting to wrap my head around an issue and wanted to see if I was > thinking right. > > I am attempting to setup a pURL site, one where they go to something like: > example.com/purl.php?purl=jason1234 and the site says "Welcome Jason". I > have that part of it working, and it's pulling the info from the database > just fine, what I'm wondering about is locking it down a little bit more so > that they can't just edit the info in the main page, but they have to > specifically hit a button to edit the info. > > Is it better to have 2 connections to the database with 2 separate logins? > One for the initial load which just has select privileges and a second for > when they hit edit which then gives them update privileges? > > Or, should i just do 1 login with select, and update privileges? > > Any ideas or suggestions? > > Thanks! Jason, I would assume you have some kind of login page, correct? Or can anyone type in the direct URL and access someone else's page? If they have already logged in, I would use some simple javascript to enable/disable the editing of form objects. By setting all of the form objects to "disabled" they will appear grayed out but the text is still legible. Then when they click on your "Edit" button just have a Javascript function set them all to enabled. You could do something similar to show/hide div's. Or, you could bypass all the javascript and just add an "edit" flag to your page? So once they click on the Edit button/link it would update a variable and you could do something like: if ($edit =="Y") { } Add in the option to save only if Edit has been selected? As for your database logins, I don't see a problem with doing it either way. I personally prefer to use a single login, but doing a include() for a second login is no big deal either.
[PHP-DB] Question about access rights in php/mysql
Hi Everyone, I am attempting to wrap my head around an issue and wanted to see if I was thinking right. I am attempting to setup a pURL site, one where they go to something like: example.com/purl.php?purl=jason1234 and the site says "Welcome Jason". I have that part of it working, and it's pulling the info from the database just fine, what I'm wondering about is locking it down a little bit more so that they can't just edit the info in the main page, but they have to specifically hit a button to edit the info. Is it better to have 2 connections to the database with 2 separate logins? One for the initial load which just has select privileges and a second for when they hit edit which then gives them update privileges? Or, should i just do 1 login with select, and update privileges? Any ideas or suggestions? Thanks! -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 11287 James St Holland, MI 49424 www.raoset.com [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] question about access
If your client's friend wants to do learning/development, let him load PHPTriad, FoxServ, or one of the other trinity setups onto his computer. It is truly remarkable that you/your company would even consider such a request for longer than it takes to say: Never in a million years. Also, if I were running security at your site, I would closely monitor that client's activities on the system assuming that's how you are set up. That is a loose cannon out there. Doug On Mon, 10 Feb 2003 10:29:18 -0600, Terry Romine wrote: >I'd like to get some opinions from the list. > >We run php/mysql on our linux servers located behind a firewall. Many >of our clients have scripts that access their databases via php running >on the hosting server, and the general access is set up as: > > $hostname = "localhost"; > $database = "clientsDB"; > $username = "client"; > $password = ""; > > etc.. > >One of our clients has a friend who wants to do some php/mysql and has >asked for access to the database. We gave them the information above, >and he complains that "localhost" is insufficient. We think that if he >is requesting "servername.domain.net:accessPort" that that gives him >access through the firewall. Instead, he should upload his scripts >using ftp and use localhost, as all our other clients do. > >What is the general consensus? > >If giving an outsider this kind of access just asking for trouble? > >Terry -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] question about access
I'd like to get some opinions from the list. We run php/mysql on our linux servers located behind a firewall. Many of our clients have scripts that access their databases via php running on the hosting server, and the general access is set up as: $hostname = "localhost"; $database = "clientsDB"; $username = "client"; $password = ""; etc.. One of our clients has a friend who wants to do some php/mysql and has asked for access to the database. We gave them the information above, and he complains that "localhost" is insufficient. We think that if he is requesting "servername.domain.net:accessPort" that that gives him access through the firewall. Instead, he should upload his scripts using ftp and use localhost, as all our other clients do. What is the general consensus? If giving an outsider this kind of access just asking for trouble? Terry -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php