Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What is the best approach to user authentication?

Status
Not open for further replies.
Jakobud

Jakobud

Technical User
Mar 9, 2001
51
US
So I'm setting up a php/mysql driven website on our company's intranet. I need to setup username's and passwords for different individuals because they all need access to different parts of the site.

Now I'm reading up on how to do user authentication. One way I am reading about, involves creating a username/password table in the database, and when the user attempts to login in some generic php/html form, the php logs into the database using a generic login/password, then checks to see if the user's login/password match up with what is in the table.

That's an interesting way to do it. But the thing that is odd to me is that you actually log into the database using a generic login/password (hidden in the php script) and you would simply have to control what the user has access to in your frontend code, based off their login.

MySQL has it's own user authentication system in place, where you create logins and passwords for the database and control what databases and tables they have access to and control what they can do with them. So why wouldn't you do it this way?

Sorry if this sounds confusing, but hopefully users experienced in this understand where I am coming from.
 
Sort by date Sort by votes
I'd prefer application-specific authentication tables for a couple of reasons. One is so my application will control access, allowing for different groups and other classifications. Also, you might want to store more information about a user than is in MySQL, such as email addresses.

Maintaining access control through MySQL's authentication would be difficult as it doesn't allow for a whole lot of options. How would you permit someone to read articles by John but not by Joan, for instance.

 
Upvote 0 Downvote
The thing is whether you want to limit what a user can do in the DB, or what places he can access in the intranet website.

mysql's users table will control only DB actions, but there is no way for you to actually inhibit the access the page unless you have a table that tells you what pages a user has access to.

In other words you can inhibit a user from executing an insert query, but you would not inhibit the user for accessing the page that actually runs the query.

Second you would have to dynamically change the connection details to the DB based on the user that's logged in, but do you really need to stop a user from running a query when you can just stop them from actually accessing the page that runs the query?

I hope i wasn't too confusing.

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.
 
Upvote 0 Downvote
Okay thanks for your help guys. It helped out a bunch!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

EdLentz
  • Locked
  • Question
Need to compare two tables and list the differences
Replies
3
Views
201
EdLentz
EdLentz
dylim
  • Locked
  • Question
Why MySQL 5.7 is still getting updates
Replies
3
Views
166
spamjim
spamjim
EdLentz
  • Locked
  • Question
Looking for suggestions on how to do this
Replies
4
Views
208
Chris Miller
Chris Miller
Arthur Lewis
  • Locked
  • Question
How to effect a NOWAIT in the LOCK TABLES statement?
Replies
0
Views
86
Arthur Lewis
Arthur Lewis
waubain
  • Locked
  • Question
Reset cumulative sum to zero on every year
Replies
8
Views
297
waubain
waubain

Part and Inventory Search

Sponsor

Back
Top