Using PHP and Mysql together.

[pinesol]

Hello, I am creating a website using X10Hosting and it's going to be using PHP and MySql for the login for administration. I was wondering about connecting.

I have it connecting fine, but I was wondering what I should do about the username and password. Should I just add a new user with only a few privileges so that I can check the username and password? And if so, what privileges should I allow.

[deadimp]

Are you talking about your own system, or MySQL accounts?
For MySQL, if you're the only one using your x10hosting account, you should create a user and connect it to each database with all priviledges, unless you don't trust yourself or the scripts you're running.

[lionheart8]

If he says:

I have it connecting fine, but...

I get the impression he has already created a db & user via the cpanel and the connection referred to is the db connection and the username + password used match with those in the php db connection script.
In that case, unless other people have access to your cpanel, what deadimp is suggesting is the thing to do.

If not what are u referring to with

I have it connecting fine, ...

[pinesol]

What I was referring to is when you have the login name and password for a database with php (mysql_connect($host, $username, $password, $database)), whether or not to use one that already has all priveledges (select, delete, add, etc), or just to make one that only has SELECT, so that I can check to see if the user is in the database (for a login script).

[t2t2t]

only select is good enough for checking, but add is required for registration. But having all is recommended...

[halohalo]

I like to conduct my work with at least two users in mind for the best security consideration. In my situation I use and install open source cms software so every situation is different.

For the initial installation of my software, I use a user account with full priviliges (i.e., ALL: create, drop, insert, update, delete, select, index, etc.) That way my install scripts can build the database objects required to make the software installation work. Then I go back and change the user account used by the software application to something more restrictive: select, insert, update, delete ONLY.

The philosophy behind this is that the user account that the application uses should only have as minimal access as possible.

When you're coding your website, the better approach is not to mirror mysql user accounts with the user accounts created for your website. That's a bad idea. And it isn't necessary. You don't want your users logging into your database (potentially) and causing damage or havoc to your database. Imagine, if you created mysql user accounts with full access, a user can bypass your website login, login to the database directly then start dropping database tables or whatever they want.

The tried and true approach is to maintain user accounts with a user account table in your mysql database. These accounts determine what access the users will have to your website *not* to your database. You only need to code one database user for your PHP code to use. In this way, your PHP code uses the user table to validate users and only then issues queries on behalf of the users as a single database user account.