Permissions done on MySQL side or PHP side?

When I am grabbing data from my table that require permissions, should all the permission be done there? Such as checking for an admin or if they can view the data (in MySQL)?

Or should I grab it if they have a record at all, then check the speci开发者_高级运维fic actions (such as view, add, edit, delete) on the PHP side?

It's usually more efficient to do everything in SQL but it's also more complicated, and can be a lot harder to maintain.

Mostly it depends on your exact security model and security concerns.

Do it in PHP. Say you have the user Admin, and you are going to look at the table books. If you do it in MySQL, you have to make a join to see if they can access the data and then grab the data. if you do it in PHP, you check if they have the permission, and if they don't stop processing and never attempt to grab data from books. It is more secure that way if someone tries to exploit your server.