tags:

views:

33

answers:

2
+1  Q: 

Permissions done on MySQL side or PHP side?

When I am grabbing data from my table that require permissions, should all the permission be done there? Such as checking for an admin or if they can view the data (in MySQL)?

Or should I grab it if they have a record at all, then check the specific actions (such as view, add, edit, delete) on the PHP side?

+1  A: 

Do it in PHP. Say you have the user Admin, and you are going to look at the table books. If you do it in MySQL, you have to make a join to see if they can access the data and then grab the data. if you do it in PHP, you check if they have the permission, and if they don't stop processing and never attempt to grab data from books. It is more secure that way if someone tries to exploit your server.

Aaron Harun  2010-06-14 00:51:56
one can stop processing in mysql too, or on can limit it so no query will ever give back unauthorized data with SQL (it's even possible to make is such that even if the scripts are compromised the data isn't), however figuring the SQL subroutines to do such for a given security model is very complicated and in most cases it's certainly overkill.
ewanm89  2010-06-14 01:06:32
I don't understand how there is a security risk in doing it in MySQL? If I have a LEFT JOIN and it NEEDS to have those permissions, it will return nothing. I am using MySQLi and prepared statements for any user input, not concerned over SQL Injection
Kerry  2010-06-14 01:11:49
Disagreed w/Aaron; doing it in MySQL will probably be faster and is no less secure. If your queries only return data that the user has access to, then no problem security wise.
El Yobo  2010-06-14 02:08:00
+1  A: 

It's usually more efficient to do everything in SQL but it's also more complicated, and can be a lot harder to maintain.

Mostly it depends on your exact security model and security concerns.

ewanm89  2010-06-14 00:55:11
Security needs to be pretty high
Kerry  2010-06-14 01:10:11

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL