In my users table I have a true/false boolean flag which signifies whether the logged on user is Admin or not. Basically, even Admin and other users has access to database because it’s a small college website. How do i ensure that general users don’t modify the flag? Is storing admin flag a correct way of doing? If i keep password and username for database then also it’s risky because other users even have access to website folder so they can refer to username and password in connection string.
Thanks in advance 🙂
If they have full access to your database, editing the “admin flag” is the least of your problems. What’s to stop them from editing everything else? Certainly not your admin flag.
No, not even close. The proper way is to set up separate mysql users with only the limited permissions they need. Use file permissions to prevent people from reading the login info from the web folders.
Additionally you could use a .htaccess file to control access to the admin section.