Connecting mysql with a login cms & php

[phplearner363]

Hi everyone,

I am new to php and mysql. I have taken one course on php and mysql setting up a cms for a website.

I have 2 different questions:

1. How to write code for cms to limit users to only certain tables?

2. How to use php my admin to add users to admin table with only certain privileges. Our admin table has has 3 columns,

id username hashed_password . At this point when we add a new user the password is shown in as plain text with no hashing. The hashing was written in the cms.

 

Thank you for any help, the hairs you save are mine, as I am about to tear them out.

Peggy

[maxxd]

One course on PHP isn't going to cut it for you in this situation. As you've already seen, the CMS handles hashing the passwords, so let it. It probably handles assigning user roles as well. Let it do that, too. It's a content management system specifically so that you don't have to manage the content directly. Let it do it's job, and your hair will stay where it's meant to be a lot longer than otherwise.

[Jacques1]

This is far, far too vague to give any kind of advice. We're not psychic.

 

Which CMS are you talking about? And what does “limit users to only certain tables” even mean? Access to data is generally handled within the application, not on a per-table basis.

 

If you post concrete code/tables and concrete questions, I'm sure somebody will be able to help you. But right now, it's really just gibberish.

[phplearner363]

Ok, I kinda of figured I was in over my head.

 

I will try to explain.

 

First the cms is one that I have written using php, the cms is a generic one for logging in and allowing individuals permissions to edit certain web pages.

 

I did this because I am unsure of the security of the big ones out there.

 

So if I continue to write the cms does anyone know how to write php to limit the user at login to edit only specific tables.

 

I think I can write the mysql to grant certain privileges, not all, to different users.

 

But how do I tie that into my php for the users?

 

Right now I have no restrictions on a user once they are logged in they can do whatever on the website.

 

The users we are targeting do not know anything about coding and so I designed a cms to help them edit the web pages.

 

Should you need the code, I am assuming you would wish to see the code for the cms which would mean the CRUD of the table(s) so I am little confused as to what code you wish to see.

 

There are at least 3 to 4 php files for each table..

 

Peggy

[maxxd]

I really don't mean to sound mean, but it sounds as though yes - you are totally in over your head. You don't trust the security of the established CMSs out there, so you decide to write one yourself after one course in PHP/MySQL? It doesn't matter what the users you're targeting are capable of, the site will be available on the Internet. Not just your target audience will be able to access it, even if it's password protected. In this case (and believe me, I never thought I'd be saying this) you might be better off using WordPress.

 

Take a few more courses in PHP and MySQL, put together some sites on your local machine, ask some questions, and continue to learn, and I certainly hope you'll build a WP killer; but from what it seems like you're asking I'm not even sure you've got the basics of how and why to use a database under your belt yet, let alone how to protect not only the server upon which you're hosting the site, but the users that will possibly be using that site.

[phplearner363]

Thank you for your reply.

I am thinking about what to do next.

Right now my brain does not want complicated.

Thanks again.

Peggy

[mac_gyver]

assuming you are doing this as a learning exercise -
 

1. How to write code for cms to limit users to only certain tables?

 
you don't. users/admins to a site don't need to know or care what the database table structure is, so, you don't need to limit what tables (i'm assuming you mean database tables) they have access to and if you are dynamically making database tables to hold the content for each different user/admin, that's not how you would do this. 
 
the database tables you have, are what your APPLICATION needs to accomplish it's goal. it's your application code that has access to the database tables. all the content for a Content Management System would be stored in the same database table. controlling who can Create, Update, or Delete record(s) in that table would be handled by the user permission system, based on the user's assigned permissions or assigned role and ownership of the record(s).
 
 

2. How to use php my admin to add users to admin table with only certain privileges. Our admin table has has 3 columns, id username hashed_password 

 
you should have a (one) user table that holds the unique user information. the user permission system would store its data in a separate set of tables, using the user id from the user's table to associate the assigned permission to the user it goes with.
 
as to a user permission system, do some research on ACL (Access Control List.) in its simplest form, this defines actions that can be performed (create, read, update, delete) and assigns those actions to specific users. by creating groups of actions, you define roles, that you can assign to a user (in addition to any of the specific, overriding, actions), such as an owner(superadmin), admins, authors, members, guests. to limit Create/Update/Delete access to only those records a specific user created/authored, in addition to storing the author's user id in a column in the row of data, there would be a set of defined actions that limit access to the user with the matching user id. to allow an admin to be able to edit anyone's content, there would be a different set of defined actions that ignore the id of the author of the record.
 
initially, to get the permission system started, you would manually store the user id of the person who is the owner/superadmin into the permission system, with a defined action that allows him/her to perform all possible actions. when that user logs in (and re-authenticates when making changes to user permissions), they would be able to, using an appropriately written user interface to the permission system, assign roles and/or specific actions to other users and also create and manage the actions and roles of the permission system.

 

the code for any 'action' on a page would test if the current user has permission to perform that action and if the specific permission requires it, ownership of data, before performing the action.

Edited August 24, 2016 by mac_gyver