Creating Dynamic Variables From MySQL

[chrisrulez001]

Hi there,

 

I have a table in a MySQL database where I keep a list of user privileges. I am trying to create variables where the name of variable matches the privileges in the table.

 

This is also known as variable variables (I think).

 

EDIT (17/07/2014 04:02 PM): This might be a better way to describe what I'd like, so if the value from the table is admin_panel I'd like to dynamically create a variable with that name.

 

I have created a code so far, but all I seem to be getting is a list of Notice errors telling me that the variable is undefined. (I have supplied a list of errors a bit further down the post).

 

Here is the code:

<?php
$host = "localhost";
$account = "***";
$password = "****";
$dbname = "****";

$connect = mysql_connect($host,$account,$password) or die("Unable To Connect");
$db = mysql_select_db($dbname,$connect) or die("Unable To Select DB");

$perm_query = "SELECT * FROM `privileges`";
$permission_query = mysql_query($perm_query);

while($row = mysql_fetch_array($permission_query))
{
$rows[] = $row;
}

foreach($rows as $row)
{
${$row['privilege']};
}
?>

The list of errors:

 

Notice: Undefined variable: admin_panel in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: create_user in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: edit_user in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: delete_user in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: create_group in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: edit_group in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: delete_group in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: view_log in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: log_settings in C:\xampp\htdocs\DynamicVariables.php on line 20

Notice: Undefined variable: password_change in C:\xampp\htdocs\DynamicVariables.php on line 20

 

Thanks

Edited July 17, 2014 by chrisrulez001

[Ch0cu3r]

Because the following is trying to call the variable variable, which you have not defined it

${$row['privilege']};

If you are to do variable variables, you'd code it like so:

while($row = mysql_fetch_assoc($permission_query))
{
    ${$row['privilege']} = $row['privilege'];
}

What is the purpose of doing this? Not to be rude but it seems lazy to me

Edited July 17, 2014 by Ch0cu3r

[chrisrulez001]

Ah right, thank you.

Well it sort of is a lazy way of doing things, its so that I can add, edit and delete privileges through an admin panel and because it reads the privileges from the database it automatically updates the variables and a HTML form, if that makes sense.

 

Thanks again

[Psycho]

Your code makes no sense. If I am reading it correctly the table has a single column being used called 'privilege'. I would assume then that each value is the name of a privilege? Heck, I don't even see anything in the query to only return the records for a specific user. But, you should have a finite list of privileges. I would have a table with a column for each privileged then a single record for each user with a 1 or zero in each column to identify if the user has that right or not.

 

You should think long and hard about the structure of what you are building. You could very well be taking yourself down a long dark alley where nothing good will come.

[chrisrulez001]

Ok thank you for your suggestions, I do need to return the records for a certain user so I will add those to the code.

 

Thank you both for your help.

[ginerjm]

Without trying to understand your code, I offer this suggestion.  Why not create a group of vars set to False - one for each of your privileges?  Then when you authenticate someone, turn on the vars (set them to True) that correspond to that user's privileges.

[chrisrulez001]

Ok thank you for your time to post the suggestion.

I have been working on an idea. I have a list of privileges stored in the code, and I have a table where all the users information is and then have a privileges column and the privileges that the user can do is grouped together in that column and is called when the user is logged in.

[ginerjm]

How are these privileges "grouped together in a column"?  Are you breaking one of the first rules of normalization?

[chrisrulez001]

For example these privileges:

 

"create_user, edit_user, delete_user"

When they are then needed, they are exploded and then say if the user tries to create a user, then it's checked against the exploded string.

[Psycho]

Yeah, that a pretty poor way to do that. I would still advocate a separate table to store permissions with a foreign key back to the user. Then have a separate column in the table for each permission. If you really want to have a single column to store the permissions, then you should use a bitwise operator. If you are familiar with binary, number are represented such as 10110 (that would be the number 22). Each digit in the number would represent a different permission. A 1 means the permission is granted and 0 is not

[chrisrulez001]

Is there a security risk with doing it the way I have been?

 

I suppose if the table was injected you could see all the permissions but with doing it the way your saying, by referencing the ID of the permission in the users table rather than the actual permission.

So would this be a better solution?

Permission Table:

permissionID, permissionName

User Table:

username, password, permissions (random key), rest of columns...

Information table:

 

ID (random key for specific user which matches the random key in user table), permission_list (store list of permissions here in bitwise)

Then possibly do a foreach to grab the permission and whether the permission has been granted?

[Psycho]

There is no inherent security risk based upon how you store the data (there are always exceptions). It is the processes of how you store and read the data that add security risk. The problem with what you are doing is that it really limits how you can use the data.

 

I'm not really following your proposal today. If you are going to use a bitwise operator,then just store that in the user table and don't use the other two tables.

 

User Table:
username, password, permissions (bitwise values), rest of columns.

 

If you use a bitwise operator then you would need something to define which permission are at which position. You could either store this in PHP as part of a resource file or you could create a table in the DB. But, since you need to have logic in PHP to interpret the permissions anyway and this shoudl rarely, if ever change, I would do it in PHP.

 

The other approach is to simply have one associated table to the user table

 

User Table:

userid, username, password, rest of columns.

 

Permissions:

userid, createusers, createxxx, dosomething, etc.

Edited July 18, 2014 by Psycho

[chrisrulez001]

Ok thank you for your time.

 

I've had a look at bitwise and I can't seem to get my head around it.

 

So possibly going to create a permissions table and keep it at that.

 

Thanks for your help and thank you to the other people who have participated.