472,356 Members | 2,079 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,356 software developers and data experts.

Secure Database Design Part II

Hey folks -

Thanks to everyone who gave input to my concerns. Of course, we don't intend
to have the mysql port open to the world. We will have Apache/PHP connect on
a unix socket, or to another machine with a cross-cable on non-routeable

But now I have another question. We are working on a web database to allow
our suppliers to log on and submit information that they would otherwise
fax, email, or phone to us. It would reduce work in our office, and reduce
errors in duplication of our information. But, we are very concerned about

We aren't worried so much about outside hackers as we are about legit users
trying to gain access to information they shouldn't. Some of our suppliers
are overseas and we think they have no qualms about trying to hack the
system, knowing the stunts they have pulled in the past. It would be
extremely difficult to pursue any problems legally, since it would be
international, and the damage would be already done.

So, here's my question. Good database design dictates that I normalize my
tables. So, in this simplified example, we have a table of supplier quotes:


All of our suppliers would be drawing from the same table, via php. I'm
worried that good database design might be more susceptible to information
'spilling over' -- what if I make a simple mistake and put the wrong
supplier_id with a new user's logon? That new user would see all the parts
that belong to whatever company I mistakenly associate them with.

I'm not so worried about, say, suppliers seeing sales data. All the php
pages will be protected by Unix filesystem permissions, so I can be
reasonably certain that only those belonging to the suppliers group will be
able to execute supplier_*.php. Even if they do load some sales_*.php page,
then the MySQL user permissions will stop them from actually seeing any data
on the page. So there are two layers of security between sales and
suppliers, for example. I would have to make two mistakes for them to have
access to sales data.

But, when all suppliers are accessing the same pages, it's up to my careful
hands to make sure they are pulling only their records out of the table. If
I make a mistake in a query, it might pull up other records, or even all

Of course if I design it completely perfectly the first time, I don't have
to worry about anything. But I'm not perfect and I don't make perfect

So, I'm thinking I should violate good design principles, and setup
identical tables for each supplier, salesperson, customer, etc. That way,
since they share the same PHP pages, they aren't all pulling data from the
same table. If there is any mixup in the query, the user doesn't have the
MySQL permission to pull data from another suppliers table.

Does this make sense?

Steve Lefevre
Network Administrator
IMI International, Inc.
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/my***********...ie.nctu.edu.tw

Jul 19 '05 #1
0 1430

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
by: opt_inf_env | last post by:
Hello, I have a page such that each user can see only a corresponding (personal) part of the page. In the beginning I wanted to perform initialization of users (by asking there names and...
by: Lefevre, Steven | last post by:
Hey folks - Thanks to everyone who gave input to my concerns. Of course, we don't intend to have the mysql port open to the world. We will have Apache/PHP connect on a unix socket, or to another...
by: Annette Massie | last post by:
I have a database that contains complaint information in regards to Law Enforcement. They need to have this database secure and out of reach for all but two users. (including me, they say). In...
by: Norm | last post by:
Hi All, I have an MDB file which I want to remain secure. It checks for certain parameters upon startup, and will automatically exit if the program is opened/executed by an unauthorized user. ...
by: Jason Smith | last post by:
I have recently designed an application in Ms Access with the folllowing security: 1) Database is split into a front-end / backend with linked tables 2) All modules are password protected 3)...
by: Pachydermitis | last post by:
Hi all you Access Experts, I need to secure the code on a database that has a subform that changes on the fly. I have tried everything I can think of. -MDE: Can't change forms -Put the form in a...
by: Joe | last post by:
I have an application which runs in a non-secure environment. I also have an application that runs in a secure environment (both on the same machine). Is there any way to share the session data for...
by: vicky | last post by:
Hi All, Can u please suggest me some books for relational database design or database modelling(Knowledgeable yet simple) i.e. from which we could learn database relationships(one to many,many to...
by: Kemmylinns12 | last post by:
Blockchain technology has emerged as a transformative force in the business world, offering unprecedented opportunities for innovation and efficiency. While initially associated with cryptocurrencies...
by: Matthew3360 | last post by:
Hi, I have a python app that i want to be able to get variables from a php page on my webserver. My python app is on my computer. How would I make it so the python app could use a http request to get...
by: Arjunsri | last post by:
I have a Redshift database that I need to use as an import data source. I have configured the DSN connection using the server, port, database, and credentials and received a successful connection...
by: Matthew3360 | last post by:
Hi, I have been trying to connect to a local host using php curl. But I am finding it hard to do this. I am doing the curl get request from my web server and have made sure to enable curl. I get a...
by: Oralloy | last post by:
Hello Folks, I am trying to hook up a CPU which I designed using SystemC to I/O pins on an FPGA. My problem (spelled failure) is with the synthesis of my design into a bitstream, not the C++...
by: Carina712 | last post by:
Setting background colors for Excel documents can help to improve the visual appeal of the document and make it easier to read and understand. Background colors can be used to highlight important...
by: BLUEPANDA | last post by:
At BluePanda Dev, we're passionate about building high-quality software and sharing our knowledge with the community. That's why we've created a SaaS starter kit that's not only easy to use but also...
by: Rahul1995seven | last post by:
Introduction: In the realm of programming languages, Python has emerged as a powerhouse. With its simplicity, versatility, and robustness, Python has gained popularity among beginners and experts...
by: Ricardo de Mila | last post by:
Dear people, good afternoon... I have a form in msAccess with lots of controls and a specific routine must be triggered if the mouse_down event happens in any control. Than I need to discover what...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.