Let's say that I have a database Table that stores orders from users.
Order.id | product | user |
---|---|---|
1 | product1 | user1 |
2 | product2 | user1 |
3 | product2 | user2 |
4 | product1 | user3 |
5 | product2 | user3 |
6 | product3 | user3 |
And a public API that gives the user all the orders that he requests
I want to prevent user from getting orders of other users and give them access to their orders only.
ie:
user1 can only get order 1,2
user2 can only get order 3
user3 can only get order 4,5,6
How do I do that ? and what is the name of the procedure?
CodePudding user response:
From comments: SQL queries should never be built on the client side in any context. Doing so would present an extremely severe security flaw. Anything that comes from the client should be verified before taking any action on it.
Design your application instead to expose a service that performs authentication/authorization of requests before querying the database and returning the data specific to the authenticated user, or data that the authenticated user should have access to.
It may go without saying, but you should also be performing rudimentary validation/sanitization checks and using things like parameterized queries/prepared statements in your application to further secure the data within your database from unauthorized access.