SECURITY in PHPRunner

[lewisekrantz]

Need Some Help with SECURITY

The User ID that I want to tie to. is a field named EMAIL in a MEMBERS file. I AM successfully creating a SESSION variable named EMAIL at login

1. I want each user to be able see and edit their own data ONLY

I KNOW how to do that setting in the SECURITY Tab

QUESTIONS

A. Does each data file need to have a column that is populated with the user email name ?

B. I have created a SESSION VARIABLE at login named EMAIL

C. Assuming A. is a correct assumption how do I populate the EMAIL COLUMN in each data file with the system variable

Thanks

[gizmola]

As I understand it, PHPRunner is a PHP Code generator.  Most of the people who frequent this forum are or have been PHP Developers, and I doubt seriously that anyone has ever used PHPRunner.

Just speaking generally, PHP Sessions are basically containers for a set of variables on a server that are associated with a user.  Sessions are not a database.  Technically, they are just PHP variables that PHP will "serialize" and "deserialize" for you.  A running script can add, remove and change session variables, and PHP will load the contents of those variables each time the same user makes a new HTTP request, which the server does based on a cookie value.  

Usually for something like a member/user system, you would have a database table called user or member, that has the email field and a password field, and that table will also have a primary key, which is usually a sequentially assigned integer.  The specifics of this depend on the database being used.  It looks to me like PHPRunner can support a number of different databases.

Typically, a new visitor to the site, with no existing session cookie will be assigned one, whether or not they have logged in.  Once they do login successfully, many systems will read the email and user_id value from the database and set a session variable like $_SESSION['is_logged_in'] = true. 

The system can then use this as well as the user's unique id value, and can use this to "guard" any screen that requires login, including a form that allows the user to add or update data associated with them.   That data will typically use the user's user_id to "relate" the user's data to their user table row.   As this id number is kept on the server and never accepted as user input, there is no way for someone to change or add data that doesn't belong to them, unless you create code that is incompetent.  

The specifics of this have to do with relational database design which is a entire subject line of its own.

Beyond this conceptual description, I can't really help you any further as I have no idea how PHPRunner creates code that supports these standard ideas, but I have to assume that it is designed to generate code that does once you understand it.

My best advice to you is to seek support from the company that makes it, or try their forums.   Best of luck!

[Phi11W]

You use the word "file" a lot. 
I'm going assume that you mean Database "Tables" and not actual, operating system files.  

What you're describing is Row Level Security. 
For that to work, you have to have a Column in each and every Table that you want to restrict access to that holds the identifier of the "owner" of that Row.  

That might be an email address but those tend to be quite long (increased storage need) and, potentially, might change (bad Key candidate, can't be easily/efficiently updated), so it would be better to use the surrogate, numeric User ID (Primary Key) value from the MEMBERS table. 

UserID	Email
1	[email protected]
22	[email protected]

UserId - small storage requirement, never changes. 
Email - larger storage requirement, potential to change over time; poor choice for a Key. 

 

Quote

A. Does each data file need to have a column that is populated with the user email name ?

Yes. 

ID	Owner	Posting_TS	Message
777	22	-5000/01/14 09:00:00	Message from Barney ...
888	1	-5000/01/14 09:05:00	Reply from Fred ...

 

Quote

C. Assuming A. is a correct assumption how do I populate the EMAIL COLUMN in each data file with the system variable

When you insert a row into one of these tables, you set the "owner" column to the value of the User ID (or Email) that you hold in the Session. 

 

Whenever you query any of these tables, you filter by the "owner" column, again using the value that you hold in the Session. 

Bear in mind that this may also affect the Indexes that you create on these tables, which should include the "owner" column, because you're going to be specifying it on every query. 

 

Regards, 
   Phill W.