3 Replies Latest reply on Nov 21, 2010 7:45 AM by MartinHviid

    Manage users

    mailhaim

      Hi,

      I've Flex as front-ent, with Java over MySQL DB as back-end (DB access through hibernate).

       

      I'm trying to figure out what is the best-practice to:

      1. Manage users records?

      I currently have my own users table (with user name, password and all the info I need). Should I use MuSQL.user table?

      I've to came to his point because I wanted to hold my user's password encrypted, and following the following link I understood that passwords in my own users table are not protected for different reasons - logs, backup scripts, etc. (http://dev.mysql.com/doc/mysql-security-excerpt/5.1/en/password-security-admin.html)

       

      2. Do I need to log-in the DB using the user's crednetials? if yes, why?

      Currently I only check for the un/pwd validity, but for all users - I connect using a single root UN...

       

      Thanks, Haim

        • 1. Re: Manage users
          MartinHviid Level 2

          Hi Haim

           

          I think you are mixing things together.

           

          The MySQL.user table, are for the DBMS to handle users of the database, not of a custom application, so unless you are trying to create a DBMS manager, you shouldn't access any of MySQL's own tables.

           

          If you wanna store you passwords in the database encrypted, you simply encrypt them in your code, and then they will also be encrypted in the DBMS logs and in the DB.

          But as the docs state, you show NEVER allow access to the DB logs, to other then an administrator and the DBMS itself.

           

          Best Regards

          Martin Andersen

          • 2. Re: Manage users
            mailhaim Level 1

            Martin,

            Thanks for the clarification.

             

            That means that there is no need to connect to the DB using my user's credentials, correct?

            I can use my admin UN/PWD to connect the DB, and just verify my users are legit against my users table?

             

            Thanks, Haim

            • 3. Re: Manage users
              MartinHviid Level 2

              Yes, but it's not good practice to use your administrators account to connect to the database, but as long as you are developing you can do it, but should you ever go into production, then you would typically create a MySQL user for each app, and only give that user to the app's tables.

               

              But for now don't think about this.

               

              Besides this your solution sounds okay.

               

              -Martin