mysql database and multiple users

Question

I'm working on a web site that will have multiple users. Say 5 users total.What I need to make sure is, that each user will only be able to access the data they input.

Think of a CRM or Job Board. So john will only be able to access johns info, edit, add, etc. Same with jane and june.

Now if my reading is correct, all i need to do is make sure the queries pull only the data based off their unique id correct?

so the database table for the users looks like:

Database: xxxxx, Table: xh_user
user_id 
user_username
user_fname
users_email
users_password 
users_salt

so if johns user_id is 7, when he logs in, it queries his id and displays only his content from the database.

Am i correct on this?, or is there a different or better way to accomplish this?

Answer 1

As long as your foreign keys are setup correctly so that the data is linked to the user_id (PK) then it should be fine. Alternatively you can setup a user_roles table which contains access rights.

Answer 2

As far as I know and how I have been programming, yes. If you are looking for extra security, perhaps check the user's password/salt against what is in the database.

Answer 3

li need to do is make sure the queries pull only the data based off their unique id

I'm not sure what you mean by this, but it is too a general/broad statement to be either bad or good. It really depends on the system you're building. This is by no means a generally applicable statement.

Now in your current set-up this looks somewhat correct, but in the long-ish term you might need some data be public, or at least accessible by several people. This is impossible in your current design.

I would split the access and content, as they are separate things. Save what users (or look up a role-based pattern) have access to what data in separate tables, so you can build on what you have later, and add multiple user functionality.

This could become a long discussion, so I'll end with this: The bottomline with all database design is that you should save your information in a way that represents logical units, as it is in the real world (Yes, I'm taking some shortcuts here). So coupling a username to an id seems normal. But making the connection between a job and a user isn't that logical per se. A job can be visible to multiple users, no sweat. Or more then one user could have added the information. You could say that only 1 user is the 'owner' of a job or any other piece of data, but it seems too restrictive to make your access control purely out of who "owns" the data.

But then again, it is only a warning for the future. If you never need this, you don't.

Answer 4

You could have multiple databases, one per user. You'll need to have a way to do schema changes & upgrades though, like phinx. I wouldn't recommend this unless you foresee users having multiple users on their own account.