List:General Discussion« Previous MessageNext Message »
From:Adam Alkins Date:June 16 2010 8:16pm
Subject:Re: opening a server to generalized queries but not "too" far
View as plain text  
MySQL doesn't have row level permissions, but this is what VIEWS are for. If
you only want access to specific rows, create a view with that subset of
data. You can create a function (privilege bound) to create the view to make
this more dynamic.

If you want direct access to the database, then you will need multiple MySQL
users. I don't quite get the purpose of what you're trying to do through a
PHP script; I see little reason why you can't use some client level security
to facilitate data access, especially if you're going to implement dynamic
creation of users in the PHP script itself (which would be rather weak
security imho).

-- 
Adam Alkins || http://www.rasadam.com

On 16 June 2010 14:48, Don Cohen <don-mysql8y@stripped> wrote:

> Adam Alkins writes:
>  > Sounds like you just want to GRANT access to specific tables (and with
>  > limited commands), which is exactly what MySQL's privilege system does.
>
> How about this part?
>  > > Finally, suppose I want to limit access to the table to the rows
>  > > where col1=value1.  If I just add that to <wherespec> what can an
>  > > attacker do to read other rows?
>
> The http request I have in mind will be something like
>  https://server.foo.com?user=john&password=wxyz&...
> and the resulting query something like
>  select ... from table where user=john and ...
> (I will first have verified the password.)
>
> It seems I'd have to create a separate mysql user for each user in
> my table, and perhaps also a separate separate table (or view?) for
> that user to be allowed to read.
> I suppose the php process could create the table/view, create the
> user, then connect as the user to execute the query, then remove the
> user.
>
> Even if this turns out to be the best solution, I'm interested in
> the answer to the original question.
>
>

Thread
opening a server to generalized queries but not "too" far(Don Cohen)16 Jun
  • Re: opening a server to generalized queries but not "too" farAdam Alkins16 Jun
    • Re: opening a server to generalized queries but not "too" far(Don Cohen)16 Jun
      • Re: opening a server to generalized queries but not "too" farAdam Alkins16 Jun
      • RE: opening a server to generalized queries but not "too" farDaevid Vincent16 Jun
        • RE: opening a server to generalized queries but not "too" far(Don Cohen)16 Jun
          • RE: opening a server to generalized queries but not "too" farWm Mussatto17 Jun
          • RE: opening a server to generalized queries but not "too" farDaevid Vincent17 Jun
            • RE: opening a server to generalized queries but not "too" far(Don Cohen)17 Jun
  • Re: opening a server to generalized queries but not "too" farRaj Shekhar18 Jun
    • Re: opening a server to generalized queries but not "too" far(Don Cohen)18 Jun