I can't help you with any legal aspects, since I used my business-classes to refresh my mind and sort my thoughts (some people refere to that activity as "sleep"..). And I won't help you with the ethical decission, cause I am not sure/don't have one either.. But here's the technical part and what I think about it:

I'd prefer to have only one table, but using MySQL itself to manage what user may access what data. It has excellent user managament (e.g. access-controll for each column in a table) and I think it's quite secure as long as you're aware of what's goin on. You can still code an user-interface, e.g. CGI based to make it OS-independent. My idea is to ask the user for his/her username, password at the beginning of each session and try to connect to the database with these settings. All you have to code is the error-handling if someone tries to access some forbidden areas. All the access-managing stuff would be done by the database which is secure enough for my very own needs (it might be not for huge companies and/or very sensitiv data).

However, you will need a write/update access for your programm to insert data into the database. Just make sure that noone can get that password. Then the only passwort that is _in_ the code is the master-password. And if possible I'd remove that, too.

One more reason that I can think of is, that you should always avoid dublicated data (code and database). And if you use two tables with basically the exact same data that's about the best/worst example that you could give.

Happy coding ;)
octopus
--
GED/CC d-- s:- a--- C++(+++) UL+++ P++++$ L++>++++ E--- W+++@ N o? K? w-- O- M-(+) V? !PS !PE !Y PGP+(++) t-- 5 X+ R+(+++) tv+(++) b++@ DI+() D+ G++ e->+++ h!++ r+(++) y+