• 0

Should I create a unique MySQL user per logged in person?

Asked by Jose_49,

 Share

Question

Grand Master

Jose_49

Posted
Posted

Yo Neowin!

I want to know what do you suggest in terms of security, and speed, whether is recommended or not to create an individual user for each person that logs in to my site.

I mean. I usually verify a username on a table, and assign unique tables to each of my users with a General MySQL user account with limited privileges. But since I've been reading a little bit more about MySQL (I only know the basics), I've seen that to improve security I could assign certain limits on MySQL users and only allow access to certain tables.

So, what can you suggest me in terms of MySQL users?

Thanks :p

14 answers to this question

Recommended Posts

  • 0
Grand Master

Jose_49

Posted
  • Author
Posted

What do you mean unique mysql user per logged in user, what type of site is this?

I mean, to create a MySQL user. The default user on a MySQL server is root. I would like to know if it would improve security having a separate user like "John" which would only access Joh_products and John_clients table and will have limited privileges like SELECT, DROP, UPDATE, INSERT commands.

This site, is on development right now, so everything can be modified. It's a receipt management website, which each of the users will have their own clients stats, number of purchases, receipts, etc.

  • 0
Grand Master

Mr.XXIV

Posted
Posted

I mean, to create a MySQL user. The default user on a MySQL server is root. I would like to know if it would improve security having a separate user like "John" which would only access Joh_products and John_clients table and will have limited privileges like SELECT, DROP, UPDATE, INSERT commands.

This site, is on development right now, so everything can be modified. It's a receipt management website, which each of the users will have their own clients stats, number of purchases, receipts, etc.

I truly would not recommend that at all.

  • 0
Grand Master

n_K

Posted
Posted

NEVER use the root account AT ALL once you've configured the MySQL server, make another account and grant it root-like permissions and ONLY use the root account as a last resort if something breaks to restore everything.

Yes use different accounts for different sites, one account for all clients on one site should be fine i.e. one account for this receipt tracking site, another account for a control panel site, etc.

  • 0
Grand Master

Sandor

Posted
Posted

You should only really need one master user for the mysql database itself. Then use web based forms (in PHP for example) to allow the people to add/delete/update their data. They don't need to have direct access to the database tables to do this. I don't really see the point of having totally distinct tables for each user either. Seems like a lot of duplication and you'll end up with a massive amount of tables.

  • 0
Grand Master

Jose_49

Posted
  • Author
Posted

Thanks to all of the above. Now I have a clear mind.

NEVER use the root account AT ALL once you've configured the MySQL server, make another account and grant it root-like permissions and ONLY use the root account as a last resort if something breaks to restore everything.

Yes use different accounts for different sites, one account for all clients on one site should be fine i.e. one account for this receipt tracking site, another account for a control panel site, etc.

I shall take this recommendation then :)

I don't really see the point of having totally distinct tables for each user either. Seems like a lot of duplication and you'll end up with a massive amount of tables.

:/ There was no other way my logic could function.

I Googled a bit and found that there wasn't any problem having multiple tables. The thing is that it allows flexibility. I didn't see a good way on putting the client info, the receipt #, the quantity, price of the product purchased (because it has a variable price), the current product id, the tax, and whether it was paid, delivered or not. So I could fetch it in a productive way later on....

Anyways, I'm open to suggestions :D

  • 0
Community Regular

mollick2

Posted
Posted

I Googled a bit and found that there wasn't any problem having multiple tables. The thing is that it allows flexibility. I didn't see a good way on putting the client info, the receipt #, the quantity, price of the product purchased (because it has a variable price), the current product id, the tax, and whether it was paid, delivered or not. So I could fetch it in a productive way later on....

Multiple tables are fine, in fact you should be using multiple tables, but there's a much better and organized way of using them. You should be using different tables for storing types of data. If I have Users, Customers, and Receipts; I would create a separate table for each one of them. Then I would create two additional tables used for associations, one for Users->Receipts, and one for Customers->Receipts. These associative tables would only store the unique id's for the rows in the other tables.

Not sure if I explained clear enough or not, also not sure if it's quite the same idea as your system. Either way its best to have different table's for different types of data, since there's no sense in storing the same data multiple times.

  • 0
Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

Certainly use multiple tables, but not for each user. Say you have 10 users and each user has a separate table, if you want to see all the data from all the users you have to search through 10 tables, vs. just the main table for the type of data you want.

So instead of userA_orders, userB_orders, etc. you just have a single orders table, and store what user created the order in the record you insert into the table.

  • 0
Experienced

paxa

Posted
Posted

if i've read this right. you should create a function user. one user that can insert, update, or delete records, but not modify the database structure. use that user for any transaction, and the root as a last resort.

  • 0
Grand Master

Jose_49

Posted
  • Author
Posted

Multiple tables are fine, in fact you should be using multiple tables, but there's a much better and organized way of using them. You should be using different tables for storing types of data. If I have Users, Customers, and Receipts; I would create a separate table for each one of them. Then I would create two additional tables used for associations, one for Users->Receipts, and one for Customers->Receipts. These associative tables would only store the unique id's for the rows in the other tables.

Not sure if I explained clear enough or not, also not sure if it's quite the same idea as your system. Either way its best to have different table's for different types of data, since there's no sense in storing the same data multiple times.

Certainly use multiple tables, but not for each user. Say you have 10 users and each user has a separate table, if you want to see all the data from all the users you have to search through 10 tables, vs. just the main table for the type of data you want.

So instead of userA_orders, userB_orders, etc. you just have a single orders table, and store what user created the order in the record you insert into the table.

Now I get it! Yup. Indeed. I know my logic was failing somewhere.

I just need to create a separate column with the current logged in user, and bang it with a WHERE clause to identify the user (*poker face*)

Aaaargh.

Going to work on it right now

Thank you people :D

This topic is now closed to further replies.
 Share
Go to question listing

  • Posts

    • You've tried DuckDuckGo and Brave Search, now get serious with SearXNG

      By zikalify · Posted

      You've tried DuckDuckGo and Brave Search, now get serious with SearXNG by Paul Hill Over the last decade, it has become quite trendy to dump Google Search in favor of privacy-preserving alternatives such as DuckDuckGo, Startpage, and Brave Search. These search engines have done a very good job at highlighting dodgy practices by Google, such as adjusting search results based on what it thinks you’ll like (filter bubble) and stalking you around the web to advertise to you. While these search engines are good starting points when compared to non-private services like Google, there are still quite a few issues with them. For example, both DuckDuckGo and Brave Search require running non-free JavaScript in your web browser, which is comparable to running proprietary software on your computer, meaning you can be sure about what it’s actually doing in the background. Another issue is that these search engines are hosted on the respective companies’ servers, and you are using a service that you don’t control. Finally, DuckDuckGo, while offering privacy features, relies heavily on Microsoft’s infrastructure for its results and, in the past, has permitted Microsoft tracking scripts. If you are looking for a more private search solution than DuckDuckGo, Brave Search, and Startpage, then I recommend taking a look at SearXNG. It is a privacy-respecting metasearch engine that can be used via different public instances, which is useful for mobile users, or you can install it on your computer or server and run it locally with maximum control. Unlike Google, Bing, or Brave Search, which crawl the web and have their own search indexes, SearXNG is a metasearch engine, meaning it taps other search engines, stripping your identifying data, such as IP address, user agent, and cookies, in the process. Your search query is sent to the other search engines you enable before aggregating the results. SearXNG has deployment flexibility. If you are a casual user or a mobile user and don’t want to run SearXNG locally, you can use a public instance that is hosted by someone else. The main problem with this is that you are putting trust in the maintainer of the instance regarding stuff like logs that they may keep; good hosts should have a privacy policy explaining their policies. If you are trying to use SearXNG, you can also install the software on your device and then head to 127.0.0.1:8080 in your browser and search from there. While you don’t have to worry about a third-party admin like the public instances, search engines could ultimately block your IP address if they frown on you pulling in their search results locally. If you want to run it locally, it’s a good idea to use proxies or VPNs to hide your actual IP. You don’t have to worry about this with a public instance, as search engines never see your IP address. The main privacy benefit of using SearXNG is that it isolates your identity from the underlying engines that it’s capable of searching, such as Google and Bing. These search engines will only see requests coming from a generic server, so they can’t profile you and create a bubble filter that influences what results you see. This also ensures that your search engine doesn’t turn into an echo chamber that prevents you from reading alternative points of view. As a free software project, you are allowed to inspect SearXNG to make sure there are no negative features bundled inside. This sets it apart from the privacy search engines mentioned earlier because you can’t check their source code. As a meta search engine, you are not restricted to getting results from one source. Due to the fact that it scrapes content from other websites, your SearXNG instance will periodically get blocked from different providers, so it’s good to select a range of sources as a backup. While enabling all of the services will give you great results, this can make searching slower. I am personally happy with slower searches for the best results, but you can always check which providers are slowing down your search from the search results page and disable them to speed things up. If you want decent results quickly, enable the main search providers such as Google, Brave, DuckDuckGo, Qwant, Bing, and Yahoo. This way, you get wide coverage without the latency. On the Engines tab in Preferences, do note that there are different tabs, such as General, Images, and Videos, with their own providers that can be toggled and are not covered by "Enable all" while on the General tab, so be sure to dig into each. Just a note, if you want to enable everything, press "Enable all" in one tab, then hit save at the bottom of the page, then do the next tab, and so on. If you press "Enable all", then do that in each tab, and then save, nothing will stick. When I had just some of the search engines enabled, I searched “define nefarious” and results came back with the definition of “define” - obviously that was a sucky result. However, when I had everything enabled, it found dictionary pages for the word “nefarious” and even had an inline definition on the sidebar, which is quite nice too - that was delivered by WolframAlpha for anyone wondering! Probably the worst thing about this meta search engine is that the engines you select are saved with a cookie, so you must enable them on every new device you use SearXNG on, including if you decide to go into incognito mode with your web browser. Honestly, I would say this is the most annoying aspect, and perhaps if your browser lets you choose a separate private browsing search engine, then it would be best to use DuckDuckGo for this portion of your browsing. Another weakness of SearXNG is the random blocking of it by search providers. When you are on the results page, expand the “Response time” box, and it will show things like “Suspended: too many requests” or “access denied”. This is why it is good to enable several providers so that there is always a fallback to get results from. I won’t pretend SearXNG will be for everyone, however, if you enable all of the providers and put up with the slower response time, the results can be really amazing. Even if you don’t want to use it as your daily driver, keeping a bookmark handy that links to it is a good idea if you ever feel like doing a deep dive into a niche topic where other search engines are just failing to bring up any good result, due to the amount of sources it looks on. If you’re interested in radical user control over the software you use, installing SearXNG locally can also be a good idea, but be prepared to be temporarily blocked from sites if you trigger bot sensors without a VPN. Personally, I’ve opted to use a public instance, rather than install it myself. If you want to use it via a public instance, head over to searx.space to find a provider. Let us know in the comments if you have used SearXNG or its predecessor, Searx. What do you think about the quality of the results?
    • Windows 11 is getting redesigned taskbar settings in new build

      By Captain_Eric · Posted

      Dear Neowin, If it is not too much trouble, can you start using the new-ish designations for Insider Preview? "Experimental" is different than "former Dev" as it can apply to different models, eg 26H1 or 26H2 etc, right? No need to seed confusion IMHO. And, please "finally" update your graphics. OK?
    • Why Delta Chat is the best decentralized messenger you have probably never tried

      By zikalify · Posted

      Did you see their FAQ, its quite good. Have a look in the Advanced section. https://delta.chat/en/help
    • Apple MacBook Neo is a blessing for Windows users, here's why

      By Pandadriver · Posted

      Just install Linux Mint that is a real blessing and many times cheaper because you can continue using your old Windows computer/laptop with the latest Linux updates.
    • Why Delta Chat is the best decentralized messenger you have probably never tried

      By Nas · Posted

      Interesting share -- however it does not make sense: Email messages get stored somewhere, so how is Delta Chat "based on email" and decentralized without actually storing anything? By Web3 standard practices, the various Relays would require dedicated storage to make messages available to the recipients (like a large series of message queue channels, akin to racks of traditional post office boxes)... and Contacts must be two-way confirmed in order for encryption keys to be exchanged (ostensibly every key-pair is uniquely bound between sender and recipient) and the Relays would preserve the public keys in order to facilitate message carriage... or every device stores all sorts of keys and contact info. All of this to say, decentralized messaging is like running Bluesky nodes except instead of discovering/browsing public feeds by various posters (at the given node) these Delta Chats would be relaying encrypted messages (via Relays) that only trusted recipients would have the appropriate decryption key (their own private key) to read it. But this doesn't solve the "it's like email" sales pitch. The only way it's like email is that there's encrypted binary stuff being transported from your app into the federated ether of Delta Chat Relays for others to decrypt (hopefully only the intended recipient)... but outside of this federated relays framework, it is absolutely nothing like email.

  • Recent Achievements

    • Week One Done
      Woland13 earned a badge
      Week One Done
    • One Month Later
      Woland13 earned a badge
      One Month Later
    • One Year In
      bernmeister earned a badge
      One Year In
    • Week One Done
      Scoobystu earned a badge
      Week One Done
    • Week One Done
      tuben earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      504
    2. 2
      +Edouard
      228
    3. 3
      PsYcHoKiLLa
      161
    4. 4
      Steven P.
      76
    5. 5
      FloatingFatMan
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!