kivison — 2013-03-02T06:59:04-05:00 — #1
I am creating a site which requires a strong log in and security system. I have the script sorted out for this which can protect against SQL injections, brute force etc however my question is, one of the preventions against SQL injection is to not use a DB user that has delete rights and so I would like to sign the user in with a DB user that has create insert and update rights to add a line into a table for log in attempts etc for instance but when the user is verified into the site they need to use the application so delete rights will needed so a user with full access needs to be used for the continued use of the application.
Now, once the user is logged in, the protected pages have a routine that checks the user is authorised but that is after the login so the delete rights (in addition to the user rights that were used when logging in) make no difference to checking that the user is logged in but are important to the use of the web application.
Is this something that the PHP coding will not error over (changing users after the initial page) or will I get into problems?
Thanks in advance
oddz — 2013-03-02T18:11:10-05:00 — #2
Switching between x authentication profiles for the db connections based on different conditions seems pretty straight-forward to me.
kivison — 2013-03-03T04:16:38-05:00 — #3
Thanks for the reply. I will see if i can run through it and post any issues.