I am writing a set of HTML based resources, stored in a mysql db on our server. The resources contain images references, which are stored as a relative paths.
我正在编写一组基于HTML的资源,存储在服务器上的mysql db中。资源包含映像引用,这些映像将作为相对路径存储。
I can login to an admin panel and create and edit resources very easily.
我可以登录到一个管理面板和创建和编辑资源非常容易。
This bit is all done, and working well.
这部分已经完成,并且运行良好。
However, we are going to want to provide this resource in two ways: packaged and hosted. The one that is providing real problems is the hosted solution:
但是,我们希望以两种方式提供此资源:打包和托管。提供真正问题的是托管解决方案:
We want to host the database and all image resources, however we want to give access to the resources via a set of templates for other users to host on their own site. This is so they can brand the templates accordingly, and have the resource available at their own URL e.g.
我们希望托管数据库和所有映像资源,但是我们希望通过一组模板来访问资源,以便其他用户在自己的站点上托管这些资源。这是为了使他们能够相应地给模板打上品牌,并使资源在他们自己的URL中可用。
http://www.example.com/discojoe
There are two questions I have on this process, which are causing me real headaches:
在这个过程中,我有两个问题让我非常头疼:
• I realise the obvious security implication of providing even read-only access to our mysql server. The only alternative I think of is some server side code running on our server, which when requested, squirts the requested data back to the user. This removes the need for them to have any mysql connection.
•我意识到为mysql服务器提供只读访问的明显安全含义。我认为唯一的替代方法是在我们的服务器上运行一些服务器端代码,当被请求时,这些代码将请求的数据返回给用户。这样就不需要它们有任何mysql连接。
Are there any examples of the above type of scenario online I can read up on, or can you give some pointers on how I would go about addressing this solution?
在网上我可以读到上面的例子,或者你能给我一些关于如何解决这个问题的建议吗?
• For users whom we stream the data to (if the above solution is sensible), how could I go about updating the image SRC value on the fly within the HTML content. Whilst I want it stored as a relative URL in the database, when I retrieve the data from the database, I want to convert all image srcs from relative to absolute, with the absolute URL that I specify.
•对于我们传输数据到的用户(如果上述解决方案是合理的),我如何在HTML内容中动态更新图像SRC值。虽然我希望它作为一个相对URL存储在数据库中,但是当我从数据库中检索数据时,我希望使用我指定的绝对URL将所有的图像srcs从相对URL转换为绝对URL。
2 个解决方案
#1
2
I realise the obvious security implication of providing even read-only access to our mysql server. The only alternative I think of is some server side code running on our server, which when requested, squirts the requested data back to the user. This removes the need for them to have any mysql connection.
我意识到提供对mysql服务器的只读访问具有明显的安全性。我认为唯一的替代方法是在我们的服务器上运行一些服务器端代码,当被请求时,这些代码将请求的数据返回给用户。这样就不需要它们有任何mysql连接。
You could create an REST API(I would return JSON) using predefined queries with PDO prepared statements(safe against SQL-injections). With a little bit of care you could make it pretty safe. Ofcourse if the resources should be protected, you must also add authentication to your system using simple API keys for example. I think you could generate these key easily the same way you prevent CSRF($token = md5(uniqid(rand(), TRUE));
). Maybe you should add a little bit more entropy, but I think this is going to be sufficient. But if you want to really do it correctly you should use oauth instead.
您可以使用预定义的查询和PDO准备语句(对sql注入安全)创建一个REST API(我将返回JSON)。只要稍加小心,你就能使它相当安全。当然,如果资源应该受到保护,您还必须使用简单的API键向系统添加身份验证。我认为您可以很容易地生成这些密钥,就像您防止CSRF($token = md5(uniqid(rand(), TRUE))一样;)也许你应该增加一点熵,但是我认为这是充分的。但是如果你想要做得正确,你应该用oauth。
with a little bit of mod_rewriting you could write pretty URLs.
通过一些mod_重写你可以写出漂亮的url。
For users whom we stream the data to (if the above solution is sensible), how could I go about updating the image SRC value on the fly within the HTML content. Whilst I want it stored as a relative URL in the database, when I retrieve the data from the database, I want to convert all image srcs from relative to absolute, with the absolute URL that I specify.
对于我们传输数据到的用户(如果上面的解决方案是合理的),我如何在HTML内容中动态地更新图像SRC值。虽然我希望它作为一个相对URL存储在数据库中,但是当我从数据库中检索数据时,我希望使用我指定的绝对URL将所有的图像srcs从相对URL转换为绝对URL。
I think you could use any of the many available template languages to achieve this. Even jquery has one built-in
我认为您可以使用任何可用的模板语言来实现这一点。甚至jquery也有一个内置的
#2
1
Create a REST-style web service. That is, set up an HTTP server that responds to data requests by using some server code to load up your templates, alter the URLs and other things (relative to absolute), and sends it to the client as fragments of HTML (or even CSS).
创建rest样式的web服务。也就是说,设置一个HTTP服务器,通过使用一些服务器代码来加载模板、修改url和其他内容(相对于绝对),并将其作为HTML(甚至CSS)的片段发送给客户机,从而响应数据请求。
Your user, running on another web server, can use an HTTP client package to consume your web service, incorporate the resulting code fragments into her page, and send it out.
在另一个web服务器上运行的用户可以使用HTTP客户机包来使用web服务,将生成的代码片段合并到她的页面中,并将其发送出去。
Alternatively you could build your code fragments so they function in iframe objects. In that case your user would build her code to deliver iframe objects to her end-users with references to your server in them.
或者,您可以构建代码片段,以便它们在iframe对象中发挥作用。在这种情况下,您的用户将构建她的代码,将iframe对象交付给她的最终用户,其中包含对服务器的引用。
Finally, your web service could deliver XML or JSON, and be consumed by AJAX-style javacscript in the end-user's browsers.
最后,您的web服务可以交付XML或JSON,并由最终用户浏览器中的ajax风格的javacscript使用。
You are absolutely right to prevent direct access to your mySQL table server from random clients.
您完全有理由阻止对mySQL表服务器的随机访问。
#1
2
I realise the obvious security implication of providing even read-only access to our mysql server. The only alternative I think of is some server side code running on our server, which when requested, squirts the requested data back to the user. This removes the need for them to have any mysql connection.
我意识到提供对mysql服务器的只读访问具有明显的安全性。我认为唯一的替代方法是在我们的服务器上运行一些服务器端代码,当被请求时,这些代码将请求的数据返回给用户。这样就不需要它们有任何mysql连接。
You could create an REST API(I would return JSON) using predefined queries with PDO prepared statements(safe against SQL-injections). With a little bit of care you could make it pretty safe. Ofcourse if the resources should be protected, you must also add authentication to your system using simple API keys for example. I think you could generate these key easily the same way you prevent CSRF($token = md5(uniqid(rand(), TRUE));
). Maybe you should add a little bit more entropy, but I think this is going to be sufficient. But if you want to really do it correctly you should use oauth instead.
您可以使用预定义的查询和PDO准备语句(对sql注入安全)创建一个REST API(我将返回JSON)。只要稍加小心,你就能使它相当安全。当然,如果资源应该受到保护,您还必须使用简单的API键向系统添加身份验证。我认为您可以很容易地生成这些密钥,就像您防止CSRF($token = md5(uniqid(rand(), TRUE))一样;)也许你应该增加一点熵,但是我认为这是充分的。但是如果你想要做得正确,你应该用oauth。
with a little bit of mod_rewriting you could write pretty URLs.
通过一些mod_重写你可以写出漂亮的url。
For users whom we stream the data to (if the above solution is sensible), how could I go about updating the image SRC value on the fly within the HTML content. Whilst I want it stored as a relative URL in the database, when I retrieve the data from the database, I want to convert all image srcs from relative to absolute, with the absolute URL that I specify.
对于我们传输数据到的用户(如果上面的解决方案是合理的),我如何在HTML内容中动态地更新图像SRC值。虽然我希望它作为一个相对URL存储在数据库中,但是当我从数据库中检索数据时,我希望使用我指定的绝对URL将所有的图像srcs从相对URL转换为绝对URL。
I think you could use any of the many available template languages to achieve this. Even jquery has one built-in
我认为您可以使用任何可用的模板语言来实现这一点。甚至jquery也有一个内置的
#2
1
Create a REST-style web service. That is, set up an HTTP server that responds to data requests by using some server code to load up your templates, alter the URLs and other things (relative to absolute), and sends it to the client as fragments of HTML (or even CSS).
创建rest样式的web服务。也就是说,设置一个HTTP服务器,通过使用一些服务器代码来加载模板、修改url和其他内容(相对于绝对),并将其作为HTML(甚至CSS)的片段发送给客户机,从而响应数据请求。
Your user, running on another web server, can use an HTTP client package to consume your web service, incorporate the resulting code fragments into her page, and send it out.
在另一个web服务器上运行的用户可以使用HTTP客户机包来使用web服务,将生成的代码片段合并到她的页面中,并将其发送出去。
Alternatively you could build your code fragments so they function in iframe objects. In that case your user would build her code to deliver iframe objects to her end-users with references to your server in them.
或者,您可以构建代码片段,以便它们在iframe对象中发挥作用。在这种情况下,您的用户将构建她的代码,将iframe对象交付给她的最终用户,其中包含对服务器的引用。
Finally, your web service could deliver XML or JSON, and be consumed by AJAX-style javacscript in the end-user's browsers.
最后,您的web服务可以交付XML或JSON,并由最终用户浏览器中的ajax风格的javacscript使用。
You are absolutely right to prevent direct access to your mySQL table server from random clients.
您完全有理由阻止对mySQL表服务器的随机访问。