Home/ Questions/Q 427779
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T19:36:37+00:00

I am going to be making a small user system but I have questions.

  • 0

I am going to be making a small user system but I have questions.

  1. If I were to make a registration table (mysql), what is wrong with just storing the password and username into the database without encryption?

  2. I am trying to think of how to build the admin portion. Should I just check a column in the database to see if user is admin or not? If true, then admin page will be revealed. 

  3. For admin powers, let’s say I have 3 powers: delete user, approve user, and move user. In a few scenarios, I may want to give some people only the ability to approve, or delete, or all, or any combination. How would I make this? I was thinking of having a column for each power and have the script check each column. Let’s assume I have over 20 powers that will be added.

  4. If I have a website where people can create groups and become admins of their groups and the these admins can give different combination of admin powers to people in their group (For ex, Zack creates and group called Mountain and grants one member the ability approve new group members and grants a second member the ability to delete members and assigns a third member the ability to delete and approve. How will I structure this in MySQL? Should I use a columns that say what group are they admin of and what ability do they have? E.g. columns: Delete, Approve, GroupMemberOf, GroupAdminOf and use checks.

I have an idea but I want to learn the more sophisticated ways.

Thanks for the answers so far, however, I am really looking for ideas on a structure ( Question 2 – 4 ). Please let me know if I can help clear up the question.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. Hash user passwords with unique salts for each users, so that when your database can be accessed by an outsider, they cannot decrypt the passwords, and the salt mitigates rainbow table attacks.

    2 – 4. Use a table for access levels (1: member, 2: moderator (approval), 3: admin), and use yet another different table for user permissions where you store many-to-many connections like this:

    id (auto_increment)|usr_id|role_id|group_id
-------------------------------------------
1                  |1     |3      |-1
2                  |2     |2      |1
3                  |2     |3      |2
4                  |3     |1      |2

    In your case, user 1 is admin for the whole site, user 2 is admin for group 3 and moderator for group 2, user 3 is member of group 2.

    [EDIT:]

    Some more thoughts on restricting powers for the different roles: Depending on your setup you should use some role enforcement on a per-page basis, e.g. in an MVC framework, I would extend the base controller to require a (role) authorization function that has to be called for each method, otherwise it should throw an exception. Methods (pages) that do not require the user to log in can use a dummy authorization.

    So the authorization class will look like

    class Authorization
{
    public $authorized = false;

    public function dummy()
    {
        $this->authorized = true;
    }

    public function member($usr_id, $group_id = null)
    {
        $sql = "SELECT usr_id FROM usr_roles WHERE usr_id = " . $usr_id . ($group_id !== null) ? " AND group_id " . $group_id : "";
        // count the results of $sql query
        // or some more stuff
        if ($results > 1)
        {
            $this->authorized = true;
        }
        else
        {
            $this->authorized = false;
        } 
    }

    // the other functions
}

    Your new base controller class will look like this:

    class BaseController extends Controller
{
    protected $authorization;
    public function __construct()
    {
        $this->authorization = new Authorization();
    }

    public function render()
    {
        if ($this->authorization->authorized === true)
        {
            parent::render
        }
        else
        {
            // redirect to not authorized page 
        }
    }
}

    And finally in the end your controllers will look like:

    class IndexController extends BaseController
{
    // some stuff, methods etc.

    // methods needs logged in user and user must be a member. 
    public function index()
    {
        $this->authorization->member($session_user->getId());
    }
}

    [EDIT2:]

    If you are not familiar with OOP, then you can do the following:

    Here is a sample layout for a roles table:

    role_id|role_name
-----------------
1      |member
2      |moderator
3      |admin

    You can then make a function authorize() to include in all your files:

    // role_name = "member", "moderator", "admin"
function authorize($usr_id = null, $role_name = null, group_id = null)
{
    // test for user in group and role, return boolean

}

    In your files include this function and do the following

    if (authorize($usr_id, "moderator", 2)
{
    // show stuff, if user with $usr_id is moderator for group 2
}
else
{
    // do something else
}
// stuff for all
    • 0