Kevinmun Posted December 14, 2008 Share Posted December 14, 2008 My question is pretty general. I want to write a simple user management system with three levels of access (regular user, admin, and super admin) all with different privileges. So I can think of two ways to do this.... 1. Make one user table that will contain all of the users regardless of type and add a field that distinguishes whether they are a user, admin, or super admin. 2. Create three separate tables, one for users, admins, and super admins. My thinking is that number 1 might be easier to implement, but I'm not sure I want to give users any write privileges to a table that contains admins and super admins. I'm worried this might make the application a little more vulnerable to attacks. So my question is which method is more common and are there any major advantages or disadvantages besides the first being easier to implement and second possibly being more secure? Quote Link to comment Share on other sites More sharing options...
Mad Mick Posted December 14, 2008 Share Posted December 14, 2008 I would suggest the first since it is easier and cleaner to implement. I don't see the 2nd as much more secure - if they can access your main user table then it will not take much effort to access any other table. You should concentrate on security further up the line. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted December 14, 2008 Share Posted December 14, 2008 I'm not sure I want to give users any write privileges to a table that contains admins and super admins. If that statement is referring to your database queries, your database connection user/password/privilege is completely different from an application user/password/privilege system. Quote Link to comment Share on other sites More sharing options...
Kevinmun Posted December 14, 2008 Author Share Posted December 14, 2008 I'm not sure I want to give users any write privileges to a table that contains admins and super admins. If that statement is referring to your database queries, your database connection user/password/privilege is completely different from an application user/password/privilege system. So I guess that's two votes for method 1. I know I've seen method 2 before and I know there has to be a reason people do it that way. I assumed it was security. Quote Link to comment Share on other sites More sharing options...
kpetsche20 Posted December 14, 2008 Share Posted December 14, 2008 I would go with the first one, I can't think of any logical way 3 different tables will make the application any more secure. Quote Link to comment Share on other sites More sharing options...
Kevinmun Posted December 14, 2008 Author Share Posted December 14, 2008 Alright, that's 3 votes for #1. I figured I bump it to the top one more time and if no one disagrees with #1 I'll go ahead and market solved. Quote Link to comment Share on other sites More sharing options...
stelthius Posted December 14, 2008 Share Posted December 14, 2008 as said 3 times already 1 table, as said also before i also dont see any point in 3 seperate tables. Rick Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.