Multiple users and single database question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Tchapman
Forum Newbie
Posts: 11
Joined: Wed Dec 01, 2010 3:38 am

Multiple users and single database question

Post by Tchapman »

I have a single database, where each clients system uploads all it's data to a single table, but each user in the table has a unique ID for referencing their updates to the db. How can I keep the actual database username and password private? If I give everyone the login info to the database so that it is included in the POST, anyone case see the info, and if someone chose to write some code and mess with the db then it would be easy. Also, if the the php file that manages the database updates is what contains the login info, anyone can download the php file and get the info.

Is there a way to have the user log in with a separate username and password that is stored in the record for their ID, but now have them see the real db login info?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Multiple users and single database question

Post by social_experiment »

Tchapman wrote:Is there a way to have the user log in with a separate username and password that is stored in the record for their ID, but now have them see the real db login info?
If you are using a class you can use the values inside the class so that users don't have access to it.

Code: Select all

<?php
class sql_ {
 // properties
 $database = "db_name";
 $username = "user_name";
 $password = "pass_word";
 $host = "localhost";

 public function connectToDb() {
  $connection = @mysql_connect($this->host, $this->username, $this->password);
  // select database as well somewhere here
 } 
?>
Or if you are not using classes, try including the file that makes the connection to the database (assume it's called connection.php)

Code: Select all

<?php
 @mysql_connect('localhost', 'my_user', 'my_pass');
 @mysql_select_db('my_db');
?>
If this page is at the include at the top like so

Code: Select all

<?php @include_once('connection.php'); ?>
you wouldn't have the worry you do now. The '@' symbol will suppress any error message that results and you would probably have to make sure this file (connection.php) is set to read-only so people can't access it directly via the browser. Lastly, only give your 'users' as much 'access' as needed with regards to the database connection info. Don't create a sql user with GRANT access if only SELECT, UPDATE, DELETE is needed for the workings of the system.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply