List:General Discussion« Previous MessageNext Message »
From:Alex Heiphetz Date:August 10 1999 11:29pm
Subject:Re: how to handle username/password in a db
View as plain text  
Jerry:

I would use .htaccess and something like this:


if ($ENV{'REMOTE_USER'} eq "")
	{
	print "Something is wrong<BR>\n";
	exit;
	}else{$user_login=$ENV{'REMOTE_USER'};}

&connect_to_db;
&read_user_priveleges_from_db;
&set_action_flag_corresponding_to_priveleges;

# you can use action_flag like this
if ($action eq "delete")
	{
	if ($action_flag eq "user")
		{
		print "you cannot do this, pal\n";
		exit;
		}
	elsif($action_flag eq "boss")
		{
		# do delete command
		....................
		.................


the trick here is to have programs run from the directory 
below one where you place .htaccess, otherwise $ENV{'REMOTE_USER'}
is undefined

Hope it helps.

Regards,
A.Heiphetz
At 02:11 PM 8/10/99 -0700, Jerry Preeper wrote:
>Hi All,
>
>I was wondering how others might be handling the allowing of access to a
>perl script using a database that includes usernames and passwords.  
>
>For example, I am working on a project where I have a perl program that
>will allow people to add to and edit listings in a list table.  Each
>listing has a user id attached to it (users may have multiple listings) and
>there is a separate table for all these people that would include their
>contact info, their username and password.  These are not people that would
>be in the mysql privileges table - it's a web based thing.  
>
>What I want to be able to do is to have a login screen that they enter
>their username and password, which then determines what they are allowed to
>do.  For example, they would only be able to edit certain items in existing
>records that they are the user id on and add new records (which would still
>need to be approved by an administrator).  An administrator (who would also
>have a login) would be able to do lots of other things in the db.  There is
>a field in the database that determines what level the person is when they
>log in based upon their username/password.
>
>My questions are: 
>
>1) Should I use cookies to track their session or is there a better method?
>  I understand I can set like a 60 minute cookie with a unique string
>containing their username and password that can be passed back and forth as
>they go through various screens.  Is this reasonably reliable or is there a
>better method that holds their username and password as they go through
>various screens?  
>
>Any perl examples of either would be greatly appreciated.
>
>2) One way encrypting of password vs two way.  One thing I'm afraid of is
>that people will invariably lose their password and it would be nice to
>have a routine that they can have it emailed to the email address in the
>database.  I'm guessing to do this, however, I would need to use an
>encryption scheme that can be used to encrypt and decrypt.  Is this still
>reasonably secure?  Or would it be preferable to stick with one-way
>encryption and if someone loses their password, just issue them a new one?
>I'm trying to automate as much as I can.
>
>3) Overall security.  I don't want to put this behind a .htaccess file
>simply to avoid the extra steps.  I also want to make sure people who are
>on webtv and things like that won't have problems with stuff like cookies
>either.  The data in the file isn't super top secret but I would like to
>maintain a reasonably good level of security.   Is there an advantage to
>putting it behind a secure server (https)?  Any thoughts or comments would
>be appreciated.
>
>Thanks again.
>
>Jerry Preeper
>
>
>
>
>---------------------------------------------------------------------
>Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
>posting. To request this thread, e-mail mysql-thread9867@stripped
>
>To unsubscribe, send a message to the address shown in the
>List-Unsubscribe header of this message. If you cannot see it,
>e-mail mysql-unsubscribe@stripped instead.
>
>
>
Thread
how to handle username/password in a dbJerry Preeper10 Aug
  • Re: how to handle username/password in a dbDaevid Vincent10 Aug
    • Re: how to handle username/password in a dbJerry Preeper11 Aug
      • Re: how to handle username/password in a dbJules Bean11 Aug
  • Re: how to handle username/password in a dbJay J11 Aug
  • Re: how to handle username/password in a dbAlex Heiphetz11 Aug