tags:

views:

31

answers:

2
Q: 

Limiting Access by Permission

Hi, thanks for viewing this. I have a db that has users, roles & user_roles. What I am trying to achieve is a login that will select users who have Admin or Associate permissions. The login then uses name and password to permit access.

My SQL syntax thus far is - 

SELECT * FROM users 
LEFT JOIN ON user_roles 
ON user.id=user_roles.userid AND roleid IN (Administrator, Associate) 
WHERE username = '$username' AND password = '$password'";

I am not sure where I am going wrong.

Thanks in advance for your help.

+1  A: 

Try replacing "LEFT JOIN" by "INNER JOIN"

Sergio  2009-11-13 16:49:52
Hi Sergio - I had also had a similar thought and had tried this before posting but it didn't work for me. Thank you for your input, it is really appreciated.
Ddywalgi  2009-11-13 19:57:27
A: 

Here's how I'd write the query:

$stmt = $pdo->prepare("
SELECT (u.password = :password) AS password_is_correct,
  (r.roleid IS NOT NULL) AS role_is_authorized
FROM users u
LEFT JOIN ON user_roles r
  ON u.id=r.userid AND r.roleid IN (Administrator, Associate) 
WHERE u.username = :username");

$stmt->execute(array(":password"=>$password, ":username"=>$username));

This allows you to distinguish between the three conditions: (1) username does not exist, (2) password is wrong, or (3) role is not authorized.

PS: Should "Administrator" and "Associate" be quoted or something? The way you're using them, they look like identifiers rather than values.

Bill Karwin  2009-11-13 17:19:11
Hi Bill - thankyou for this, Administrator and Associate are the id in user_roles and therefore identifiers, however SQL does prefer them to be in '' quotes as they are varchar not int as adding (Administrator)as an id was rejected by MySql until it was communicated as ('Administrator').An eloquent solution Bill Thankyou. I am now eager to try this.
Ddywalgi  2009-11-13 19:50:01
Note that the usage of a boolean predicate in the select-list is permitted by MySQL, but in more strictly SQL-compliant databases this is not allowed. To write more portable SQL, do something like: `CASE WHEN (u.password=:password) THEN 1 ELSE 0 END CASE AS password_is_correct`
Bill Karwin  2009-11-13 20:35:00
Hi Bill I am getting the following error. Undefined variable: pdo in... and also Fatal error: Call to a member function prepare() on a non-object in I will try and sort this and get back if I find an answer.
Ddywalgi  2009-11-14 13:01:48
The `$pdo` variable represents a PDO object, connected to a database. See http://php.net/manual/en/pdo.construct.php
Bill Karwin  2009-11-14 16:55:21
Thank you Bill. I wasn't aware of this method. Thanks very much.
Ddywalgi  2009-11-18 11:05:59

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP