如何检查从 Zend Framework 发送到数据库的每个查询
我有一个复杂的报告应用程序,允许客户登录并查看其客户数据的报告。应用程序的多个部分都使用各种控制器进行数据库调用。我需要确保客户端 A 不会通过标头操作获取客户端 B 的信息。
系统进行身份验证,并为其分配 clientID 和 roleID。如果您的roleID > 1,则意味着您为托管数据的公司工作,并且您可以看到所有客户信息。我想创建一个基本上像这样工作的包罗万象的东西:
if($roleID > 1) {
...send query to database
}else {
if(...does this query select a record with clientID other than my $auth->clientID){
do not execute query
}else {
execute query
}
}
问题是,我希望它为发送到服务器的每个查询运行......我如何将此代码作为应用程序和应用程序之间的“路障”数据库?我已经使用 Zend_Profiler 来查看查询,所以我知道它在某种程度上是可能的,但无法从 Profiler 代码中辨别这一点...
我总是可以编写一个身份验证函数并以这种方式传递选定的查询,但这种包罗万象的方法会更容易在所有调用中实施,并且将是面向未来的。任何帮助表示赞赏。
I have a complex reporting application that allows clients to login and view reports for their client data. There are several sections of the application where there are database calls, using various controllers. I need to make sure that client A doesn't get client B's information via header manipulation.
The system authenticates, and assignes them a clientID and roleID. If your roleID >1, that means you work for the company hosting the data, and you can see all client info. I want to create a catch-all that basically works like this:
if($roleID > 1) {
...send query to database
}else {
if(...does this query select a record with clientID other than my $auth->clientID){
do not execute query
}else {
execute query
}
}
The problem is, I want this to run for every query that goes to the server... how can I place this code as a "roadblock" between the application and the DB? I already use Zend_Profiler to look at queries, so I know it is somehow possible, but cannot discern this from the Profiler code...
I can always write an authentication function and pass selected queries that way, but this catch-all would be easier to implement across all of the calls and would be future proof. Any help is appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这是应用程序设计错误。
您应该使用“服务架构” - 查询的唯一入口点是
服务。以及其中的任何检查。it's application design fault.
you shoud use 'service architecture' - the only one entry point for queries would be a
service. and any checks inside it.如果这是您想要在每个查询上运行的东西,我建议扩展
Zend_Db_Select并覆盖query()或assemble ()函数添加到您的逻辑中。您还需要添加一种方法来让它了解您的$auth对象。If this is something you want run on every query, I'd suggest extending
Zend_Db_Selectand overwrite either thequery()orassemble()functions to add in your logic. You'll also want to add a way for it to be aware of your$authobject.另一种选择是扩展数据库适配器,以便您可以直接拦截查询。 IMO,您应该尝试在应用程序级别执行此操作。
Another option is to extend your database adapter so you can intercept the queries directly. IMO, you should try and do this at the application level though.
根据您的数据库服务器,您可以在数据库端进行跟踪。
以下是 Oracle 的示例:
http://orafaq.com/wiki/SQL_Trace
Depending on your database server, you can put a trace on the DB side.
Here's an example for Oracle:
http://orafaq.com/wiki/SQL_Trace