Im rather new to developing mysql/php applications and am after some advice
on handling user validation for a web based system, ive implimented a number
of ways and would like to know which way is better in regards to security
etc, here are the following ways i have implimented this in the past:
a) user submits via form login/pass, mssql db is accessed via a no login
no pass account, and a basic "select from subscribers where user=$blah and
pass=$boo" is implimented, if theirs a result match the user can proceed, if
not they are booted back to the login with an error message.
b) each user of the system has an account in the mysql/user table, set
up via grant statements via a system admin, so then you can do a direct
login to the database with the users submitted info, if the connection is
granted then the rest of the subscriber info is pulled out of a second table
in the applications own database, linking the two tables on unique login
names. if allowed to make a database connection, the user can access the
rest of the site, if access is denied, they are booted back to the login
screen.
for both of these methods i store the submitted user/pass info in session
variables, and this info is verified on every page by an include file, is
this a good idea? or would it be wiser to use a variable that can only be
set when a successful login in is made, then to check if that variable
exists instead? (doing this so that no one can simply go
http://www.etc -etc/mypage.php)
My questions on these methods are
for a) is it a good idea to set up a database that doesnt require a user
to actually log into it, ie to check to make sure the users info is correct,
an account must be setup for anyone to access to check if the login info is
correct, because if they cant access the database how can they have their
login/pass validated? I have a feeling that employing that method simply
isnt very secure.
b) is having a large number of accounts in the user table of the
mysql db a safe way to go? this way i can enforce security through mysql
itself ... if the user doesnt have 'granted' access to the database, they
get no access, mysql is performing this validation for itself.
Am i on the right track with iether method? or is their a better way that i
am totally missing, any help would be greatly appreciated.
Cheers -Ben.