doupu1949 2013-09-10 15:36
浏览 32
已采纳

facebook用户信息存储在数据库中

My website provide the user to create an account and log in with facebook. The user table contain: userId (generated by $userId = uniqid(rand(), true;, if user creating his own account). password, salt, email, date joined.

1st question:

I am not sure if what I am doing with facebook is safe. Right now I am getting user ID from facebook and sending it to server with xmlhttpRequest object. Then server store it under userID and leave other columns blank.

2nd question:

Is the possibilities significant for the facebook userID to overlap with normal account's userid generated by uniquid(rand(), true)

3rd question:

is it safe to use client side login? I mean even my App ID will be seen by users.

4th question: In order to tell if the entry is a facebook account or normal account, should I add another column in database, true=facebook account, false=normal account. Or should I just check to see if password column is blank for the certain account?

  • 写回答

1条回答 默认 最新

  • doulin2025 2013-09-10 18:27
    关注

    Using thepointless.com as an example, every user gets an auto-incremented ID, including facebook users. External authentication services are recognized by the username, which contains a URL for "irregular" users:

    +----------+------------------+------+-----+-------------------+----------------+
| Field    | Type             | Null | Key | Default           | Extra          |
+----------+------------------+------+-----+-------------------+----------------+
| user_id  | int(10) unsigned | NO   | PRI | NULL              | auto_increment |
| username | varchar(255)     | YES  | UNI | NULL              |                |
| password | varchar(255)     | YES  |     | NULL              |                |
| created  | timestamp        | NO   |     | CURRENT_TIMESTAMP |                |
| userdata | mediumtext       | YES  |     | NULL              |                |
| admin    | tinyint(1)       | YES  |     | 0                 |                |
| name     | varchar(765)     | YES  |     | NULL              |                |
+----------+------------------+------+-----+-------------------+----------------+

    Facebook users' usernames are the URLs of their graph data, like http://graph.facebook.com/8643372. It isn't necessary in your system to point to something real, so long as it identifies the domain and an external [unique] ID. It just so happens in this case that the user's public graph object is a short, predictable URL.

    Normal users are restricted from prefixing their usernames with http or https. The password is left blank. And the userdata stores the JSON or XML provided by the 3rd party authentication service.

    A fully client-side login shouldn't generally be trusted by server-side logic. But, server-side validation of a JavaScript initiated login is generally not difficult. And there's no reason not to trust, at least on a preliminary basis, an entirely client-side authentication on the client.

    And as far as I know, there's no need to keep your App ID a secret. It's your "App Secret" that needs to remain hidden.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 pnpm 下载element-plus
  • ¥15 解决编写PyDracula时遇到的问题
  • ¥15 有没有人能解决下这个问题吗,本人不会编程
  • ¥15 plotBAPC画图出错
  • ¥30 关于#opencv#的问题:使用大疆无人机拍摄水稻田间图像,拼接成tif图片,用什么方法可以识别并框选出水稻作物行
  • ¥15 Python卡尔曼滤波融合
  • ¥20 iOS绕地区网络检测
  • ¥15 python验证码滑块图像识别
  • ¥15 根据背景及设计要求撰写设计报告
  • ¥20 能提供一下思路或者代码吗