我的网络应用程序的用户是否需要直接访问我的数据库?
[英]Do my web app's users need direct access to my database?
问题描述
I'm creating a web app that users will create an account for, which allows them to read/write data on a database. 
我正在创建一个用户将创建帐户的Web应用程序,允许他们在数据库上读/写数据。 I'm about to start creating the login authentication part of the website, and its my first time really doing this part. 我即将开始创建网站的登录验证部分,这是我第一次真正做这部分。 As I understand it, I'm going to create a users table which will store all the necessary login info for the website. 据我了解,我将创建一个用户表,该表将存储该网站的所有必要登录信息。
I know there are also database roles/permissions. 我知道还有数据库角色/权限。 My question is about how the 2 relate in this instance. 我的问题是关于2在这种情况下如何相关。 Do I need to authenticate the users on the website and the database? 我是否需要对网站和数据库中的用户进行身份验证? My thought process was that if all of my PHP scripts are set up in such a way that the session data will only allow authenticated users read/write to the DB, then I don't need to do anything on the database end, but I want to make sure I'm thinking about this correctly. 我的思维过程是,如果我的所有PHP脚本都设置为会话数据只允许经过身份验证的用户读/写数据库,那么我不需要在数据库端做任何事情,但我我想确保我正确地考虑这个问题。
Is that clear as mud? 那是泥浆吗?
2 个解决方案
解决方案1
5 已采纳 2013-12-10 17:27:03
If I understand correctly, your question is wether or not your users need access to your database. 如果我理解正确,您的问题是否有问题,您的用户需要访问您的数据库。
Your users are not going to communicate with the database directly. 您的用户不会直接与数据库通信。 Your app will. 你的应用会。 Your users are only going to use your app which will act as an interface between the user and the database. 您的用户只会使用您的应用程序,它将充当用户和数据库之间的接口。
Therefore, only the app needs access (and the appropriate permissions) to the database. 因此,只有应用程序需要访问数据库(以及相应的权限)。 Because it now has access to the database, it becomes responsible for making sure that only the right people can perform certain actions. 因为它现在可以访问数据库,所以它负责确保只有合适的人才能执行某些操作。 (by means of a login- and permission system) (通过登录和许可系统)
If not all users should have the same permissions within your app (you might have normal users and administrators), you need to create a permission system within your app that checks wether a user has the appropriate permissions to perform a certain action. 如果并非所有用户都应在您的应用程序中拥有相同的权限(您可能拥有普通用户和管理员),则需要在应用程序中创建权限系统,以检查用户是否具有执行特定操作的适当权限。
For instance if someone tries to delete some important data, you 例如,如果有人试图删除一些重要数据,那么
- make sure he's logged in (if he's not, redirect to the login page) 确保他已登录(如果不是,则重定向到登录页面)
- make sure he has the appropriate role / permissions (in this case he should be an administrator - if he's not, cancel the action) 确保他有适当的角色/权限(在这种情况下,他应该是管理员 - 如果他不是,取消行动)
Symfony's page on Security gives some insight. Symfony的安全页面提供了一些见解。 Just skip the Symfony-specific parts and read about the general idea. 只需跳过Symfony特定的部分,并阅读有关一般概念的内容。
解决方案2
2 2013-12-10 17:29:09
Your users will authenticate on your website (by requesting details about their validity from the database). 您的用户将在您的网站上进行身份验证(通过从数据库请求有关其有效性的详细信息)。 Once authenticated they can do things that the website gives them access to. 经过身份验证后,他们可以执行网站授予他们访问权限的内容。
The only user that will communicate with the database directly is you/your website. 直接与数据库通信的唯一用户是您/您的网站。 Your database will have a table entitled 'users', but the actual user of the database should be no one else but you - you don't want to give random users free reign. 您的数据库将有一个名为“users”的表,但数据库的实际用户应该是除了您之外的其他任何人 - 您不希望随机用户自由统治。 You can then set what database queries you wish the database to perform on certain users actions. 然后,您可以设置希望数据库对某些用户操作执行的数据库查询。
Hope that helps clarify 希望有助于澄清
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.