1

I have a complex reporting application that allows clients to login and view reports for their client data. There are several sections of the application where there are database calls, using various controllers. I need to make sure that client A doesn't get client B's information via header manipulation.

The system authenticates, and assignes them a clientID and roleID. If your roleID >1, that means you work for the company hosting the data, and you can see all client info. I want to create a catch-all that basically works like this:

    if($roleID > 1) {

    ...send query to database

   }else {
     if(...does this query select a record with clientID other than my $auth->clientID){
     do not execute query
  }else {
   execute query
   }
}

The problem is, I want this to run for every query that goes to the server... how can I place this code as a "roadblock" between the application and the DB? I already use Zend_Profiler to look at queries, so I know it is somehow possible, but cannot discern this from the Profiler code...

I can always write an authentication function and pass selected queries that way, but this catch-all would be easier to implement across all of the calls and would be future proof. Any help is appreciated.

Improve this question
1
  • I tend to use ZFdebug toolbar , its very helpfull [Database: Full listing of SQL queries and the time for each] jokke.dk/software/zfdebug Commented Jul 29, 2011 at 17:24

4 Answers 4

Reset to default
1

it's application design fault. you shoud use 'service architecture' - the only one entry point for queries would be a service. and any checks inside it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

not sure I understand... i thought Zend Framework was acting as a pseudo - service?
1

If this is something you want run on every query, I'd suggest extending Zend_Db_Select and overwrite either the query() or assemble() functions to add in your logic. You'll also want to add a way for it to be aware of your $auth object.

Improve this answer

Comments

1

Another option is to extend your database adapter so you can intercept the queries directly. IMO, you should try and do this at the application level though.

Improve this answer

Comments

0

Depending on your database server, you can put a trace on the DB side.

Here's an example for Oracle:

http://orafaq.com/wiki/SQL_Trace

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.