Try to imagine your PHP code as a "middleman" or "clerk" working a walk-up window for some kind of office.
It is that clerk's job to handle incoming requests, file the correct paperwork, hand out a receipts, perform searches, and hand out the requested information. Your clerk (the application) checks to see if a visitor (a web user) is already registered and gives every new person to the office (your site) a blank form to fill out. When the visitor turns in the form (hits submit) the clerk (your application) transfers the information into the correct places (database tables) so that the user's information is now stored for future reference. On a return visit, the clerk (your application) asks the visitor if they are new or already in the system. If they say they are already registered, the clerk asks them to provide some kind of secret information and compares their information with what is on file (your application requests username and password and compares it against what is stored in the database). If everything checks out, the visitor is then allowed to make a request of the clerk (use the protected area of your web site) Your PHP code needs permission to use the database so that it can move data into and out of certain tables. Your application is what maintains each user's credentials in whatever tables you see fit to design. Access to the database is controlled by database permissions. You application needs permission (not each user) to do whatever you need it to do with whatever tables you design. May I suggest some reading: http://dev.mysql.com/doc/mysql/en/Privilege_system.html Start with that and follow the links. If you run into problems with the GRANT/REVOKE statements (if that is the method you choose) come back to the list and we can help you set it up. Keeping login information secure and authenticating users through a web interface is a subject unto itself. Search the web and I will bet you find several hundred methods. Use whatever method you think fits your needs. Shawn Green Database Administrator Unimin Corporation - Spruce Pine PS - It is always better if you CC the list on all responses as I could have been unavailable for an extended period and anyone else on the list could have picked up your question and answered it. Brandon Carter <[EMAIL PROTECTED]> wrote on 10/06/2004 02:40:03 PM: > > Thank you for the thorough reply. Allow me to clarify. > > Go to > http://meta.wikimedia.org/wiki/The_provisional_portal_of_Wikipedia. > This is, as any other Wiki, an open source project > where anyone from anywhere without any sort of > credentials whatsoever has the permission to write to > the website. All of the information is stored in a > MySQL database. So, the user fills in a form, clicks > submit, and the information is sent to the database. > The user has no need to log in or anything. > > Taking a simpler example, a website that sends coupons > to a user. The user must first sign up to get the > coupons. So, the user goes to the web site, fills in > a form, that user information is added to the > database. > > The person who fills in this form is anonymous to > MySQL. When he hits the submit button, his > information is put in the system without him every > entering a password for access. > > So, is it the PHP script (or whatever script) that has > to have permission to access the database? If not, > what permissions need to be set on the database to > allow unfettered updating permission for the user? > > The user never sees the structure of the database, and > is not permitted to see or change other users' > information. So, how are the permitted to put their > information in the database? > > > > > --- [EMAIL PROTECTED] wrote: > > > Security is built in shells (much like onions). > > > > > > Application layer- > > This is where your user interacts with your code. In > > your case, I believe > > that you have a web server running code you wrote in > > PHP responding to > > user requests. Your web server uses a user account > > to interact with the > > operating system. Your user must authenticate with > > the web server (even if > > they authenticate as "anonymous") in order for the > > server to know what > > pages that visitor has rights to see. Some web > > servers check user > > credentials against a list of users they maintain, > > others allow your users > > to use a system login (if they have one) > > > > Your application can also maintain a set of login > > credentials for the > > users of your site. You can chose to inherit the > > username from the Web > > Server, the Operating system, or from an > > authentication process written > > specifically for you application. This is the step > > where your application > > verifies that the current user is authorized to use > > your application. Your > > application itself has several options for how it is > > recognized by the > > operating system. Since your application is > > "hosted" by your web server, > > it (the server) has the option of either starting > > your application as a > > child process of itself (meaning that your > > application has the same user > > rights as your web server) or as a stand-alone > > process (your application > > needs its own operating system account complete with > > its own set of > > permissions) > > > > Data Access layer - > > This is where the database server handles requests > > for data and > > connections. Connections can come from just about > > anywhere: web servers, > > php applications, other external programs (like the > > MySQL client, or > > another MySQL server), etc.). Before a client (a > > client is anything that > > needs a connection) is permitted to connect to the > > database server, that > > client must first prove to the server that it is > > permitted to make a > > connection. It does this by validating a username > > and password with the > > server. Once the connection is established, all > > rights, privileges, and > > restrictions are now in effect for the account that > > was used to establish > > the connection. > > > > Operating system layer - > > Any program that needs CPU time, access to files, or > > access to memory must > > authenticate itself to the operating system before > > it can run. The > > operating system has the last word when it comes to > > permissions. If an > > applications "user" account does not have the > > correct privileges to do > > what it wants to do (like read a file from a certain > > directory) the > > operating system says "no" and errors abound. > > > > So, when you mention "user authentication" it makes > > me wonder.... > > 1 - Are you trying to let the user see your web > > pages (Web server settings > > and maybe OS permissions, too) > > 2 - Are you trying to let your application know who > > a visitor is (comes > > from either web server information or application > > information or both) > > 3 - Are you trying to make a PHP connection to a > > database server. (MySQL > > user setting + PHP connection code. This is almost > > always different your > > OS user information) > > > > I think what you are running into is the 3rd issue > > because you seem to > > think that PHP may be logging into the database > > (creating a database > > connection) with your OS credentials. While I > > believe it is possible to > > script that, I don't think that is the default > > behavior. You should > > probably review the PHP function that you are using > > to create your > > connection to MySQL (mysql_connect()) and review the > > parameters it takes. > > > > You may need to create a new MySQL account, modify > > an existing MySQL > > account, GRANT privileges to an account to the > > tables it needs access to, > > and/or use the correct MySQL account in the > > mysql_connect() function. > > > > DISCLAIMER - Different web servers operate > > differently and expose > > different security APIs so your mileage may vary. > > > > Shawn Green > > Database Administrator > > Unimin Corporation - Spruce Pine > > > > Brandon Carter <[EMAIL PROTECTED]> wrote on > > 10/06/2004 01:02:02 PM: > > > > > I have never set up a web site running a mysql > > server, > > > so I am little fuzzy on details concerning user > > > authentication. Let's say I am creating a page > > where > > > the user will enter his/her information. I write > > a > > > PHP script to update the mysql table when they > > click > > > 'submit'. Do I have to grant priveleges to anyone > > but > > > myself on that table? The script is running from > > my > > > directory, so it's really me who is updating the > > > table, and it's my authentication information that > > the > > > mysql server gets, right? > > > > > > Sorry if that's a totally naïve question. Gotta > > start > > > soemwhere. > > > > > > --Brandon > > > > > > > > > > > > _______________________________ > > > Do you Yahoo!? > > > Declare Yourself - Register online to vote today! > > > http://vote.yahoo.com > > > > > > -- > > > MySQL General Mailing List > > > For list archives: http://lists.mysql.com/mysql > > > To unsubscribe: > > http://lists.mysql.com/[EMAIL PROTECTED] > > > > > > > > ===== > ---Brandon <[EMAIL PROTECTED]> > > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com
