Want users only access their own data!!!

[longmatch]

I have designed a website with login-password protection. But for now, each user can see all the data in my database. Obviously, this is not good design. How can I make user only access their own data?

big thanks

Haijun

 

[Turkbear]

What database?

 

[egolds]

The basic issue at hand is getting the security of the database to match the security of your web app. The easiest way is to add a criteria for each of the queries that build the record sets that the userid (of the person logged into the web app) must match the "Owner Id" of the data in the database.

I assume that the database must have a way for data to be associated with an owner. Does the database have an Owner ID type field for each of the data elements you want to protect? An "Owner ID" at the database field will be the only way to "make user only access their own data"

If the database has the Owner Id type field I mention above there are a variety of ways to pass the User ID to the query requesting the data. The easiest would be to store it as a session variable - Session("UserID&quot - so that it clears as soon as the person logs off and add it in the where clause.

Sorry about the long winded answer. Feel free to reply I've missed the mark on any of your issues or if you need any additional info.

Eric

 

[longmatch]

I am using MS Access 2000 on the backend. I heard the session variable before, not sure how to use it.


Haijun

 

[egolds]

on the first page receiving the login data:
Session("UserID&quot = request.form("USERID&quot - assuming the name of the userid field on the login form is USERID.

Once you do this, on any page in your application (you need to make sure this is running as an application in IIS, and that the user is set to accept cookies) all you need to do is reference Session("UserID&quot.

FOR EXAMPLE:
strSQL = "Select * from table where OwnerID = '"&Session("UserID&quot&"'"