Page 1 of 1
Multiple users and single database question
Posted: Sun Dec 05, 2010 7:46 pm
by Tchapman
I have a single database, where each clients system uploads all it's data to a single table, but each user in the table has a unique ID for referencing their updates to the db. How can I keep the actual database username and password private? If I give everyone the login info to the database so that it is included in the POST, anyone case see the info, and if someone chose to write some code and mess with the db then it would be easy. Also, if the the php file that manages the database updates is what contains the login info, anyone can download the php file and get the info.
Is there a way to have the user log in with a separate username and password that is stored in the record for their ID, but now have them see the real db login info?
Re: Multiple users and single database question
Posted: Mon Dec 06, 2010 12:19 pm
by social_experiment
Tchapman wrote:Is there a way to have the user log in with a separate username and password that is stored in the record for their ID, but now have them see the real db login info?
If you are using a class you can use the values inside the class so that users don't have access to it.
Code: Select all
<?php
class sql_ {
// properties
$database = "db_name";
$username = "user_name";
$password = "pass_word";
$host = "localhost";
public function connectToDb() {
$connection = @mysql_connect($this->host, $this->username, $this->password);
// select database as well somewhere here
}
?>
Or if you are not using classes, try including the file that makes the connection to the database (assume it's called connection.php)
Code: Select all
<?php
@mysql_connect('localhost', 'my_user', 'my_pass');
@mysql_select_db('my_db');
?>
If this page is at the include at the top like so
Code: Select all
<?php @include_once('connection.php'); ?>
you wouldn't have the worry you do now. The '@' symbol will suppress any error message that results and you would probably have to make sure this file (connection.php) is set to read-only so people can't access it directly via the browser. Lastly, only give your 'users' as much 'access' as needed with regards to the database connection info. Don't create a sql user with GRANT access if only SELECT, UPDATE, DELETE is needed for the workings of the system.