如何使用SQLalchemy安全地连接到MySQL数据库?
[英]How to connect securely to a MySQL database using SQLalchemy?
问题描述
I am in the process of developing a Python3/tkinter application that I want to have its database features based on a remote MySQL server. 
我正在开发一个Python3 / tkinter应用程序,我希望它具有基于远程MySQL服务器的数据库功能。 I have found SQLalchemy and I am trying to understand what the best practices are in terms of remote access and user authentication. 我找到了SQLalchemy,我试图了解远程访问和用户身份验证方面的最佳实践。 There will be a client application that will ask for a username and password and then it will get, insert and update data in the remote database. 将有一个客户端应用程序将要求输入用户名和密码,然后它将获取,插入和更新远程数据库中的数据。
Right now, I am starting with a clear board, following the steps in some tutorial: 现在,我开始使用一个清晰的板,遵循一些教程中的步骤:
from sqlalchemy import create_engine, ForeignKey
from sqlalchemy import Column, Date, Integer, String
from sqlalchemy.ext.declarative import declarative_base
engine = create_engine('mysql+pymysql://DB_USER:DB_PASSWORD@DATABASE_URL:PORT/DATABASENAME', pool_recycle=3600, echo=True)
Base = declarative_base()
connection = engine.connect()
class Process(Base):
__tablename__ = "processes"
id = Column(Integer, primary_key=True)
name = Column(String)
Base.metadata.create_all(engine)
Assuming this is the right way to do it, my first question about this code is: 假设这是正确的方法,我对此代码的第一个问题是:
- Isn't here a potential security problem by sending unencrypted user and password through the Internet? 通过Internet发送未加密的用户和密码,这不是一个潜在的安全问题吗? Should be taken some kind of measures to prevent password steal? 应采取某种措施防止密码窃取? If so, what should I be doing instead? 如果是这样,我应该做什么呢?
The other question that I have right now is about users: 我现在面临的另一个问题是关于用户:
- Should each application user correspond to a different MySQL database user, or is it more correct to have the database client with a single user and then add my client users in a table (user id, password, ...), defining and managing them in the application code? 每个应用程序用户是否应该与不同的MySQL数据库用户对应,或者将数据库客户端与单个用户对应,然后将我的客户端用户添加到表(用户ID,密码......)中,定义和管理它们更为正确在应用程序代码中?
1 个解决方案
解决方案1
0 已采纳 2017-03-17 12:49:37
Isn't here a potential security problem by sending unencrypted user and password through the Internet?
There is a fundamental issue with having a (MySQL) database available to the web. 将(MySQL)数据库提供给Web是一个基本问题。 With MySQL you can configure it to require ssh-tunnels or ssl-certificates, both of which prevents sending passwords in clear text. 使用MySQL,您可以将其配置为需要ssh-tunnels或ssl-certificates,这两种方法都可以防止以明文形式发送密码。 Generally you'll have to write both your client software, and a piece of server software that sits on a server close to the database (and the protocol between client/server). 通常,您必须编写客户端软件和位于靠近数据库的服务器上的服务器软件(以及客户端/服务器之间的协议)。
Should each application user correspond to a different MySQL database user, or is it more correct to have the database client with a single user and then add my client users in a table (user id, password, ...), defining and managing them in the application code?
Neither is more correct than the other, but depending on your database (and your client machines) it might influence licensing costs. 两者都不比另一个更正确,但取决于您的数据库(和您的客户端计算机),它可能会影响许可成本。
Normally your client would authenticate users with the server-software you'll be writing, and then the server software would be using a single database login to contact the database. 通常,您的客户端将使用您将要编写的服务器软件对用户进行身份验证,然后服务器软件将使用单个数据库登录来联系数据库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.