Programming Advice : Adding Security features..

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
facets
Forum Contributor
Posts: 273
Joined: Wed Apr 13, 2005 1:53 am
Location: Detroit

Programming Advice : Adding Security features..

Post by facets »

I'm about to add security features to some scripts i've written and was wondering what 'the best way' to do this would. By that, is there a standard programming way of doing it.

Aliitle background, currently my app allows me to view, edit, delete and print code from the DB.
I wish to lock this down so only admin can edit and delete whilst other users have only view/print access.

So, do I leave the code as is and just add "if user == admin display this else display that".
Or do you create 2 pages with very similar code one for Admin the other for Users?

Any pointers or websites to rewad would be FAB!

Cheers, Will.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Well, i usually split that in 2 classes: Authentication and Authorization.

An example of an authentication class:
http://timvw.madoka.be/programming/php/ ... ss.php.txt


Authorization can be handled in various ways. A very often used is RBAC (Role based Acces Control).

I usually choose for the following: (Each user belongs to exactly one role. Each role can perform many tasks, and each task can be performed by many roles. So i introduce a roletask to handle the n-m relationship between role and task)

[user] 1 - 1 [role] 1 - n [roletask] n - 1 [task]

Sometimes, there are roles that shouldn't see all the fields that are displayed in a task. To achieve this i end up with the following:

[task] 1 - n [taskfield] 1 - n [roletaskfield] n - 1 [role]
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Aside from the complexity timyv showed you (which is probably the way you should go), I would do this

I'm assuming there's some kind of login feature..

Code: Select all

$admins = array("admin1","admin2","etc..");
if(in_array("thepersonloggedin",$admins))
{
  // admin features
}

// features available to all here
facets
Forum Contributor
Posts: 273
Joined: Wed Apr 13, 2005 1:53 am
Location: Detroit

Post by facets »

thanks for the reply timvw.
It was very helpful and RBAC has lead me to this site : http://www.tonymarston.net/php-mysql/ro ... ntrol.html
Which has some great diagrams of what you explained.

Time to study some Obeject Orientated Analysis and Design I think!

Cheers, Will.
Post Reply