Alain Roger wrote:
Hi,

I would like to use a secure way how my user is authenticated.
For that i was thinking to use session and register his login and password
as session variable. Like that, when he will need to execute a query he will
not have to type again everything but application will do it alone.

What do you think about that ?

Moreover, it should exist a default user with which, everybody will be able
to execute some basic queries.

i was thinking to store this login and password in hardcoding in some text
file that will be used at the first web page (some file that i will include
in my PHP code) after everything will be managed by PHP sessions and
variables.

i know that hardcoding is not the best secured solution, but really default
user should not enter his login and password. So how can i do that ?

What exactly is your application doing? We can't really give much advice
if we don't know what it's for.

For that i was thinking to use session and register his login and password
as session variable.

What do you think about that ?

I personally would only hold a password for as long as it is needed to
log them in. Then I'd set a session var that they have logged in and
another session var for their level of access.

But that's me.

IN fact, i would like to have 2 profiles.

1 as common user :
everybody should use this profile, to browse website and execute common
queries.

1 as poweruser :
this profile will require a logon in some ssl webpage. it is use to
update/administrate database.

for sure, people with poweruser profile should log-in, so they will type
login and their password.

however, the users profile do not have any reason to type login and
password, they should only browse the website.
their login and password will be only use to execute stored
procedures/queries.
that's why i would like to find a way how to secure it enough but login and
password should come from somewhere.

the application : a simple MySQL-PHP website for cosmetics services. (so
prices, info, appointment reservation,)

does it help you ?

Alain

4/3/06, Chris <dmagick (AT) gmail (DOT) comwrote:

Alain Roger wrote:
Hi,

I would like to use a secure way how my user is authenticated.
For that i was thinking to use session and register his login and
password
as session variable. Like that, when he will need to execute a query he
will
not have to type again everything but application will do it alone.

What do you think about that ?

Moreover, it should exist a default user with which, everybody will be
able
to execute some basic queries.

i was thinking to store this login and password in hardcoding in some
text
file that will be used at the first web page (some file that i will
include
in my PHP code) after everything will be managed by PHP sessions and
variables.

i know that hardcoding is not the best secured solution, but really
default
user should not enter his login and password. So how can i do that ?

What exactly is your application doing? We can't really give much advice
if we don't know what it's for.

Alain Roger wrote:
IN fact, i would like to have 2 profiles.

1 as common user :
everybody should use this profile, to browse website and execute common
queries.

1 as poweruser :
this profile will require a logon in some ssl webpage. it is use to
update/administrate database.

for sure, people with poweruser profile should log-in, so they will type
login and their password.

however, the users profile do not have any reason to type login and
password, they should only browse the website.
their login and password will be only use to execute stored
procedures/queries.
that's why i would like to find a way how to secure it enough but login
and password should come from somewhere.

the application : a simple MySQL-PHP website for cosmetics services. (so
prices, info, appointment reservation,)

I'd do it like this

A non-logged-in user should only be doing searching, browsing
categories, possibly adding to a shopping cart (if it exists).

A logged-in user can make appointments.

A super-user can change prices, make new categories and so on (in your
admin area).

Store details in the db & session - or for a shopping cart, in a cookie
so they can come back later and complete a purchase.

4/3/06, *Chris* <dmagick (AT) gmail (DOT) com <mailto:dmagick (AT) gmail (DOT) com>wrote:

Alain Roger wrote:
Hi,

I would like to use a secure way how my user is authenticated.
For that i was thinking to use session and register his login and
password
as session variable. Like that, when he will need to execute a
query he will
not have to type again everything but application will do it alone.

What do you think about that ?

Moreover, it should exist a default user with which, everybody
will be able
to execute some basic queries.

i was thinking to store this login and password in hardcoding in
some text
file that will be used at the first web page (some file that i
will include
in my PHP code) after everything will be managed by PHP
sessions and
variables.

i know that hardcoding is not the best secured solution, but
really default
user should not enter his login and password. So how can i do that ?

What exactly is your application doing? We can't really give much
advice
if we don't know what it's for.

4/3/06, Alain Roger <raf.news (AT) gmail (DOT) comwrote:
ok, but how to make a non-logged user executes some stored procedures or
Queries ?
MySQL will need some login and password for that.

so, that's why i've asked such questionhow and where to store this
non-logged user's info (login, password) to not make physical user type them
? (this must be secured enough)

A config file:

<?php
define('DB_USER', 'xxx');

?>

You don't want to make your users know your database details!

4/3/06, Ligaya Turmelle <lig (AT) maolek (DOT) comwrote:
--
For that i was thinking to use session and register his login and
password
as session variable.

What do you think about that ?

I personally would only hold a password for as long as it is needed to
log them in. Then I'd set a session var that they have logged in and
another session var for their level of access.

But that's me.
--
--

life is a game so have fun.
>
>
>
>
>

I suppose that this config file should be included in all PHP file via
include command.
is it true ?

4/3/06, chris smith <dmagick (AT) gmail (DOT) comwrote:

4/3/06, Alain Roger <raf.news (AT) gmail (DOT) comwrote:
ok, but how to make a non-logged user executes some stored procedures or
Queries ?
MySQL will need some login and password for that.

so, that's why i've asked such questionhow and where to store this
non-logged user's info (login, password) to not make physical user type
them
? (this must be secured enough)

A config file:

<?php
define('DB_USER', 'xxx');

?>

You don't want to make your users know your database details!

4/3/06, Ligaya Turmelle <lig (AT) maolek (DOT) comwrote:
--
For that i was thinking to use session and register his login and
password
as session variable.

What do you think about that ?

I personally would only hold a password for as long as it is needed to
log them in. Then I'd set a session var that they have logged in and
another session var for their level of access.

But that's me.
--
--

life is a game so have fun.
>
>
>
>
>
>
>

4/3/06, Alain Roger <raf.news (AT) gmail (DOT) comwrote:
I suppose that this config file should be included in all PHP file via
include command.
is it true ?
Yes.
I'd actually use 'require' not 'include' since you always want it to be there.

Alain Roger wrote:
ok, but how to make a non-logged user executes some stored procedures or
Queries ?
MySQL will need some login and password for that.

so, that's why i've asked such questionhow and where to store this
non-logged user's info (login, password) to not make physical user type them
? (this must be secured enough)

thanks a lot,
Alain

4/3/06, Ligaya Turmelle <lig (AT) maolek (DOT) comwrote:

>>
For that i was thinking to use session and register his login and
>>
>>password
>>
as session variable.
>>
What do you think about that ?

>>
>>I personally would only hold a password for as long as it is needed to
>>log them in. Then I'd set a session var that they have logged in and
>>another session var for their level of access.
>>
>>But that's me.
>>
>>

>>
>>life is a game so have fun.
>>
>>
>>

Are you talking about the level of mysql access or the level of access
to a site? They are 2 completely separate things.

A site can use 1 or multiple mysql users depending upon the level of
privileges you want to give them. You could always link the level of
site access to the mysql user in your authentification area

<off the top of my head>
(guest = 1, user = 5, super = 9)
switch ($_SESSIN['level']
{
case 1:
$db_user = 'site_guest';
break;
case 5:
$db_user = 'site_user';
break;
case 9:
$db_user = 'site_super';
break;
default:
$db_user = 'site_guest';
}

In a config file you would have the various usernames and their matching
passwords and yes I would require it on all pages.

And on the page itself display various parts (or not) based on their
$_SESSIN['level'] of access

if($_SESSIN['level']>1
{
// display something a user or super would only see
}

In the DB you have a site_user who has GRANTS on SELECT, site_user who
has GRANTS on SELECT, UPDATE, INSERT, DELETE, EXECUTE for specific
tables (maybe content tables) and stored procedures on them, and
site_super that has the full DB access for the tables associated with
the site.

</off the top of my head>

Hi Alain.

the authentication front, you can use HTTP basic authentication for
this kind of thing too - and it means you're not having to re-invent the
wheel in a lot of ways. The Auth_HTTP PEAR module makes this pretty
simple to implement:

You can integrate you're own authentication mechanisms (i.e. DB stored
passwords, LDAP authentication, whatever you like really) quite easily.

Permissions systems are harder to implement. The PEAR LiveUser package
is attempting to make this a bit easier too:

HTH. Grant