php - how to connect users with mysql in mobile apps? Login permissions


This is the first time I make a database for user interaction and I have some "silly" questions but I do not know how to google them to have a correct answer so here it is:

What I want:

I want to have a database where there will be users that have writen comments and articles. I will have user critical information such as name and addres and maybe credit card that I will have to recover it.

What I have done

I have create a database with a table for users with its information and then related to a table with comments and an other with articles.

My problems

1) When you do a db connection, do you do every time with the same user (of course not root) and then you compare the nickname and pass? That's what I have but it's pretty strange for me because if anyone knows my user and pass to connect to db will have all the information. I have thougth of having an account for each user but then how I can restrict to add//erase/see only things for their accounts?

2) I have read some questions and now I know I have to store passwords and compare them with bcrypt. Also I know credit card is not recomendable to store so probabilly I won't do it but for the rest of things (address, name) which is the best way to store them?

3) If an user does a connection and it's probabilly that will do more in a short time, is it better to close and open the connection each time? how can I control the session? Code is writen in php for connecting mobile devices to mysql.




First, don't store credit cards in your own database. Use something like stripe to tokenize the data (Free to sign up and anyone gets accepted).

If you are doing a mobile app with your own usernames and password, a remote server with usernames / passwords is the way to go. Hashing is usually a better approach for passwords than encrypting, since hashes are one way (you can know if a password matches, but you can never retrieve the password as a string).

As for connecting to your database, don't connect to it directly. Do it through an api / web service on your server.

For getting info from the server, you'll probably want to use json and use GET and POST requests. Here's a simple example for handling a login request on the server (make a post from the device):


if(isset($_POST['username']) && isset($_POST['password']))
  //See if the user's auth details are valid
  $auth = auth_model::try_auth(sanitizer($_POST['username']), sanitizer($_POST['password']));

  //If valid
    echo json_encode(other_model::some_function_that_returns_array());
    echo json_encode(array('error' => 'Authentication failed.'));

Note that I totally made up auth_model, sanitizer, and other_model, they are just there for example.

Most languages / platforms have libraries for consuming json, and it's a simple format, so as a starting point I think you'll have the easiest time with it.

For sessions / state, store your session in a database table and return just the id (and anything else that doesn't really need to be secure) to the client.




You shouldn't use a direct connection to your MySQL server from the app - it's a huge security gap. Users or hackers could either just sniff the traffic for credentials or disassemble the app to get them. Instead, do it server side via PHP and https-secured HTTP POST and GET of course.

You could add a user for every user of your app in your MySQL server automatically, but that would probably be way more complex.

People are also looking for solutions to the problem: javascript - Php Counter Hides Comma after loading and not showing permanently


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.