doupu1949 2013-09-10 15:36
浏览 32
已采纳

facebook用户信息存储在数据库中

My website provide the user to create an account and log in with facebook. The user table contain: userId (generated by $userId = uniqid(rand(), true;, if user creating his own account). password, salt, email, date joined.

1st question:

I am not sure if what I am doing with facebook is safe. Right now I am getting user ID from facebook and sending it to server with xmlhttpRequest object. Then server store it under userID and leave other columns blank.

2nd question:

Is the possibilities significant for the facebook userID to overlap with normal account's userid generated by uniquid(rand(), true)

3rd question:

is it safe to use client side login? I mean even my App ID will be seen by users.

4th question: In order to tell if the entry is a facebook account or normal account, should I add another column in database, true=facebook account, false=normal account. Or should I just check to see if password column is blank for the certain account?

  • 写回答

1条回答 默认 最新

  • doulin2025 2013-09-10 18:27
    关注

    Using thepointless.com as an example, every user gets an auto-incremented ID, including facebook users. External authentication services are recognized by the username, which contains a URL for "irregular" users:

    +----------+------------------+------+-----+-------------------+----------------+
| Field    | Type             | Null | Key | Default           | Extra          |
+----------+------------------+------+-----+-------------------+----------------+
| user_id  | int(10) unsigned | NO   | PRI | NULL              | auto_increment |
| username | varchar(255)     | YES  | UNI | NULL              |                |
| password | varchar(255)     | YES  |     | NULL              |                |
| created  | timestamp        | NO   |     | CURRENT_TIMESTAMP |                |
| userdata | mediumtext       | YES  |     | NULL              |                |
| admin    | tinyint(1)       | YES  |     | 0                 |                |
| name     | varchar(765)     | YES  |     | NULL              |                |
+----------+------------------+------+-----+-------------------+----------------+

    Facebook users' usernames are the URLs of their graph data, like http://graph.facebook.com/8643372. It isn't necessary in your system to point to something real, so long as it identifies the domain and an external [unique] ID. It just so happens in this case that the user's public graph object is a short, predictable URL.

    Normal users are restricted from prefixing their usernames with http or https. The password is left blank. And the userdata stores the JSON or XML provided by the 3rd party authentication service.

    A fully client-side login shouldn't generally be trusted by server-side logic. But, server-side validation of a JavaScript initiated login is generally not difficult. And there's no reason not to trust, at least on a preliminary basis, an entirely client-side authentication on the client.

    And as far as I know, there's no need to keep your App ID a secret. It's your "App Secret" that needs to remain hidden.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 seatunnel 怎么配置Elasticsearch
  • ¥15 PSCAD安装问题 ERROR: Visual Studio 2013, 2015, 2017 or 2019 is not found in the system.
  • ¥15 (标签-MATLAB|关键词-多址)
  • ¥15 关于#MATLAB#的问题,如何解决?(相关搜索:信噪比,系统容量)
  • ¥500 52810做蓝牙接受端
  • ¥15 基于PLC的三轴机械手程序
  • ¥15 多址通信方式的抗噪声性能和系统容量对比
  • ¥15 winform的chart曲线生成时有凸起
  • ¥15 msix packaging tool打包问题
  • ¥15 finalshell节点的搭建代码和那个端口代码教程