消息
创作中心
doupu1949 2013-09-10 07:36
浏览 32
已采纳

facebook用户信息存储在数据库中

My website provide the user to create an account and log in with facebook. The user table contain: userId (generated by $userId = uniqid(rand(), true;, if user creating his own account). password, salt, email, date joined.

1st question:

I am not sure if what I am doing with facebook is safe. Right now I am getting user ID from facebook and sending it to server with xmlhttpRequest object. Then server store it under userID and leave other columns blank.

2nd question:

Is the possibilities significant for the facebook userID to overlap with normal account's userid generated by uniquid(rand(), true)

3rd question:

is it safe to use client side login? I mean even my App ID will be seen by users.

4th question: In order to tell if the entry is a facebook account or normal account, should I add another column in database, true=facebook account, false=normal account. Or should I just check to see if password column is blank for the certain account?

  • 写回答

1条回答 默认 最新

  • doulin2025 2013-09-10 10:27
    关注

    Using thepointless.com as an example, every user gets an auto-incremented ID, including facebook users. External authentication services are recognized by the username, which contains a URL for "irregular" users:

    +----------+------------------+------+-----+-------------------+----------------+
| Field    | Type             | Null | Key | Default           | Extra          |
+----------+------------------+------+-----+-------------------+----------------+
| user_id  | int(10) unsigned | NO   | PRI | NULL              | auto_increment |
| username | varchar(255)     | YES  | UNI | NULL              |                |
| password | varchar(255)     | YES  |     | NULL              |                |
| created  | timestamp        | NO   |     | CURRENT_TIMESTAMP |                |
| userdata | mediumtext       | YES  |     | NULL              |                |
| admin    | tinyint(1)       | YES  |     | 0                 |                |
| name     | varchar(765)     | YES  |     | NULL              |                |
+----------+------------------+------+-----+-------------------+----------------+

    Facebook users' usernames are the URLs of their graph data, like http://graph.facebook.com/8643372. It isn't necessary in your system to point to something real, so long as it identifies the domain and an external [unique] ID. It just so happens in this case that the user's public graph object is a short, predictable URL.

    Normal users are restricted from prefixing their usernames with http or https. The password is left blank. And the userdata stores the JSON or XML provided by the 3rd party authentication service.

    A fully client-side login shouldn't generally be trusted by server-side logic. But, server-side validation of a JavaScript initiated login is generally not difficult. And there's no reason not to trust, at least on a preliminary basis, an entirely client-side authentication on the client.

    And as far as I know, there's no need to keep your App ID a secret. It's your "App Secret" that needs to remain hidden.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

 客服 返回
顶部