mattbarber

Thanks for the quick replies. In answer to Brian W, the system is broken down into: Accommodation info Client Information Current Client Information Staff info Reports Sysadmin info - only accessable by sysadmin group I have a E-R Diagram for the Database and the php front end reflects this. For each area (apart from Sysadmin area) the following groups level access would exist: Guest - view only User - view and modify Manager - view, modify and delete records As the user navigates through the system their access levels will change based on their function. 9three - I already have your steps 1 & 3 in place I will now create a User Group ID to cover each area within the system - therefore the user will have 6 group IDs. for example GroupID_Staff if ==2 then the user can view and modify staff data. hobeau - I already have the user login part in place with their user ID being held in a session variable. I will check that my session handling is secure so thanks for the advice. Should I load each User Group ID for the user into the session up front when the user logs in (through a single query) or as they navigate through the system? As suggested I don't then query the DB at each page, instead I collect the session variable value for my IF statements. Is it a good idea to clear down unused session variable? In short what impact do they have on performance? I currently have about half a dozen values held in session variables. Thanks again.

Please can you advise me on the best way to implement user permissions within PHP to control what a user can do within the database application? I have created a PHP application with a MYSQL database. The database has a number of tables (such as Person, UserAccounts, Accommodation, Education etc..). In its simplest form the PHP pages display data from a table and through links to associated pages allows user to delete/edit information in the table. I would like to implement permission/access rights to control what the user can do when they log-in i.e. View Data, Edit or Delete Records. I already have a user registration/log-in system through PHP where the user accounts and passwords etc are held in the 'UserAccounts' Table. What currently happens is: The user logs in and their ‘id’ is held in a session variable. The user accesses the required PHP query results page for the required table – let’s say ViewPeople.php which queries table ‘Person’ and shows the results. From here is seems like the best way to implement permissions is: Add details to the users record in the ‘UserAccount’ table which specified each users access level (view, edit, delete) for a given table. . Run a query at the beginning of each page (say the ViewPeople.php page) which return the users access level. . Through a series of ‘IF’ statements in the page, using the previous query results show or hide the appropriate links (such as edit person, delete person etc..) as appropriate. This method seems inefficient as it would require a query at the beginning of each page and several IF statements within the page to control what the user sees. An alternative solution may be to load different copies of the page depending on the users access level, each with different links shown. This would again be inefficient and an admin overhead, requiring many copies of a page to be modified for a single change. How is this normally done? Any advise or suggestions are gratefully received. Thanks