php - how to connect users with mysql in mobile apps? Login permissions
This is the first time I make a database for user interaction and I have some "silly" questions but I do not know how to google them to have a correct answer so here it is:
What I want:
I want to have a database where there will be users that have writen comments and articles. I will have user critical information such as name and addres and maybe credit card that I will have to recover it.
What I have done
I have create a database with a table for users with its information and then related to a table with comments and an other with articles.
My problems
1) When you do a db connection, do you do every time with the same user (of course not root) and then you compare the nickname and pass? That's what I have but it's pretty strange for me because if anyone knows my user and pass to connect to db will have all the information. I have thougth of having an account for each user but then how I can restrict to add//erase/see only things for their accounts?
2) I have read some questions and now I know I have to store passwords and compare them with bcrypt. Also I know credit card is not recomendable to store so probabilly I won't do it but for the rest of things (address, name) which is the best way to store them?
3) If an user does a connection and it's probabilly that will do more in a short time, is it better to close and open the connection each time? how can I control the session? Code is writen in php for connecting mobile devices to mysql.
Answer
Solution:
First, don't store credit cards in your own database. Use something like stripe to tokenize the data (Free to sign up and anyone gets accepted).
If you are doing a mobile app with your own usernames and password, a remote server with usernames / passwords is the way to go. Hashing is usually a better approach for passwords than encrypting, since hashes are one way (you can know if a password matches, but you can never retrieve the password as a string).
As for connecting to your database, don't connect to it directly. Do it through an api / web service on your server.
For getting info from the server, you'll probably want to use json and use GET and POST requests. Here's a simple example for handling a login request on the server (make a post from the device):
Note that I totally made up auth_model, sanitizer, and other_model, they are just there for example.
Most languages / platforms have libraries for consuming json, and it's a simple format, so as a starting point I think you'll have the easiest time with it.
For sessions / state, store your session in a database table and return just the id (and anything else that doesn't really need to be secure) to the client.
Answer
Solution:
You shouldn't use a direct connection to your MySQL server from the app - it's a huge security gap. Users or hackers could either just sniff the traffic for credentials or disassemble the app to get them. Instead, do it server side via PHP and https-secured HTTP POST and GET of course.
You could add a user for every user of your app in your MySQL server automatically, but that would probably be way more complex.