Maxime Joanis Wrote:

> A MySQL database running on a distant server
> containing all the data of the company. Some web
> pages mainly showing queries to the customers.
> AND a software allowing employees to create,
> modify or delete information in the database.

> Requirements to meet :
> The user must only have to enter his password
And his user name, surely?

I'm assuming that as it's web based that the software is
on the server and the employees are using a web browser?

> 3 ways I thought :
> 1. By MySQL login... Each employee would need his
> MySQL username and password, I don't like this too
> much... because they can't only use the password
> (or else the software should know the passwords
> and corresponding user names.. what is obviously
> not a good idea).

It would work, but it doesn't allow the caching of
a connection to the db to speed up the application.
Or to be more precise you would have to have one persistent
connection per employee, which is no good.

> 2. By Employee table login... The software has
> one username/password and allows only people
> recognized by the database to access and play with
> the information. I think this is a nice idea..
> but risked if someone gets the username and the
> password... I like this idea because it allows
> the user to only enter his password and does only
> require from me to add the employee in the
> Employee table (no need for mysql user ... and
> anything else).

The server software only uses one mysql user. Or
perhaps two, one with select priv the other with select,
insert update etc.
The app asks for username/password and the server side
software then validates this against a table in the
database (not the mysql priv tables).

As for someone getting hold of the password, that is always a problem
regardless of method.

> 3. Well.. thought there was maybe something to do
> with the server firewall and MAC addresses or
> something, but that's becoming complicated...
> forget it.. if it's not THE best idea.

Use 2 above but only allow access to the webserver from selected
ip addresses. This assumes that employees will have a fixed ip
address or be in a small range.

John