Home > Article > Backend Development > Use PHP and MySQL to implement a powerful user rights control system
In modern web applications, user permission control is crucial. To ensure the security and integrity of an application, user access to specific operations and information must be restricted and the specific tasks that users are allowed to perform must be defined. In this article, I will introduce how to use PHP and MySQL to create a powerful user permission control system to ensure the security and integrity of your web applications.
1. Design of database tables
In the MySQL database, we need at least two tables to implement the user authority control system. The first table records basic information for all users, including username, password, and email address. The second table is the permissions table, which records the permissions of each role/user group. Therefore, we need to create the following two tables in the database:
CREATE TABLE users
(
id
int(11) NOT NULL AUTO_INCREMENT,
username
varchar(50) NOT NULL,
password
varchar(255) NOT NULL,
email
varchar(100) NOT NULL,
PRIMARY KEY (id
)
);
CREATE TABLE roles
(
id
int(11) NOT NULL AUTO_INCREMENT,
name
varchar(50) NOT NULL,
PRIMARY KEY (id
)
);
We also need a table that associates users with roles. This table maps user IDs to role IDs. Let's create this table.
CREATE TABLE role_user
(
role_id
int(11) NOT NULL,
user_id
int(11) NOT NULL,
PRIMARY KEY (role_id
,user_id
),
CONSTRAINT FK_role_user_role_id
FOREIGN KEY (role_id
) REFERENCES roles
(id
),
CONSTRAINT FK_role_id_user_id
FOREIGN KEY (user_id
) REFERENCES users
(id
)
);
2. Implementation of user rights control system
Now we have created the required database Now we can start implementing a user permissions control system for our application. Here are some basic concepts:
A role is a logical structure that associates a set of permissions together. For example, we can create an "Administrator" role and grant all administrative-related permissions to this role.
Permissions are the control rights of a certain function. For example, view, create, edit, and delete users are different permissions. Granting these permissions to specific roles limits users' access.
A user is an individual who interacts with an application. Each user will be assigned one or more roles, which define the actions the user can perform and access.
Now let’s see how to implement this system.
For each new user, we need to create a corresponding user record. We will create a record in the "users" table for each user, including username, password, and email address. Use the following code to create the user.
function create_user($username, $password, $email) { // Encrypt password $encrypted_password = password_hash($password, PASSWORD_DEFAULT); // Prepare SQL statement $sql = "INSERT INTO users (username, password, email) VALUES (?, ?, ?)"; // Bind parameters $stmt = $conn->prepare($sql); $stmt->bind_param("sss", $username, $encrypted_password, $email); // Execute statement if ($stmt->execute()) { return true; } else { return false; } }
Creating a role is very simple, just insert a record in the "roles" table. Here's an example.
function create_role($name) { // Prepare SQL statement $sql = "INSERT INTO roles (name) VALUES (?)"; // Bind parameters $stmt = $conn->prepare($sql); $stmt->bind_param("s", $name); // Execute statement if ($stmt->execute()) { return true; } else { return false; } }
Now that we have created users and roles, we need to associate them. Roles can be assigned by inserting the role ID and user ID into the "role_user" table. Below is some sample code.
function assign_role_to_user($role_id, $user_id) { // Prepare SQL statement $sql = "INSERT INTO role_user (role_id, user_id) VALUES (?, ?)"; // Bind parameters $stmt = $conn->prepare($sql); $stmt->bind_param("ii", $role_id, $user_id); // Execute statement if ($stmt->execute()) { return true; } else { return false; } }
Finally, we need to check if the user has permission to perform an operation. We will find all the roles the user belongs to and check if the roles have the required permissions. Returns true if the user has permission, false if not. Below is some sample code.
function has_permission($user_id, $permission) { // Fetch user roles $sql = "SELECT role_id FROM role_user WHERE user_id = ?"; $stmt = $conn->prepare($sql); $stmt->bind_param("i", $user_id); $stmt->execute(); $result = $stmt->get_result(); // Check if any role has permission while ($row = $result->fetch_assoc()) { $sql2 = "SELECT permissions FROM roles WHERE id = " . $row['role_id']; $result2 = $conn->query($sql2); if ($result2->num_rows == 1) { $row2 = $result2->fetch_assoc(); $permissions = json_decode($row2['permissions'], true); if (in_array($permission, $permissions)) { return true; } } } // Permission not found return false; }
3. Summary
Using PHP and MySQL to create a user permission control system can ensure the security and integrity of web applications. We can restrict user access to specific operations and information based on roles and permissions. With this system, we can protect web applications from unauthorized access, thus improving overall security.
The above is the detailed content of Use PHP and MySQL to implement a powerful user rights control system. For more information, please follow other related articles on the PHP Chinese website!