MySQL Forums
Forum List  »  Newbie

Re: Create user in a Stored Procedure
Posted by: Phillip Ward
Date: October 09, 2015 06:08AM

I would suggest that this not a good way to manage user accounts.

By all means have users in your system and by all means store (the result of a hashing algorithm based on) passwords for them but don't ask the database to manage them. Do that job in your application tables.

Why?

(1) Volume.
If you have lots of users, then you'll have lots of accounts and, presumably, lots of database-level permissions that you have to grant to those users before they can do anything useful in the database.
Tedious.
Doubly tedious when you have to change the table structure and have to redo all those grants (to all of those users; OK Groups make this a mite simpler).

Instead, use a single account for the whole application (that the users are never even aware of) and only grant database permissions to that account. If that account ever becomes compromised, you can change the password (and redeploy the new credentials into the application) without anyone else being aware there was even a problem. Asking all of your users to change their passwords would be a bit of an overhead.

(2) User Experience.
Users forget their passwords. It's just a fact of Life.
That's OK, because you've provided them with a nice little page on which they can reset their password ... except that they won't be able to log into the application/ to use that page, because they've forgotten their password.

Regards, Phill W.

Options: ReplyQuote


Subject
Written By
Posted
Re: Create user in a Stored Procedure
October 09, 2015 06:08AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.