当前位置: 文江博客话题详情

使用 PHP 从外部服务器验证 MySQL 数据库中的信息

发布于 2024-12-09 09:53:50 字数 420 浏览 0 评论 0原文

我不太熟悉 PHP 的 mysql_connect 的工作原理,但可以编写非常基本的脚本。我加入了一个论坛管理员论坛,一家托管公司向我们提供了合作伙伴关系。

这种合作关系涉及我们的活跃会员通过该服务托管软件包获得折扣。托管所有者建议他为这个特定的包设置一个“隐藏 URL”,但我认为如果非我们论坛的成员发现了该 URL,他们可能会滥用该 URL。

因此,我建议我们安装一个脚本,该脚本接受用户在托管网站上输入的凭据(用户名和密码),并将该信息与我们的数据库(显然在单独的服务器上)交叉引用以查找匹配项检查用户是否已激活并且至少有 100 个帖子,并且只有当所有 if 语句都返回 true 时,才会对用户进行身份验证并授予托管包的访问权限。

我知道如何验证数据,但我不知道如何访问服务器外部的数据库,我做了一些谷歌搜索,我发现的信息除了让我困惑之外什么也没做。

原文

I'm not extremely familiar with how PHP's mysql_connect works, but can program very basic scripts. I joined up at a forum for forum administrators and we have been offered a partnership by a hosting company.

This partnership involves our active members receiving discounts for hosting packages from that service. The hosting owner suggested that he would have a "hidden URL" for this particular package, but I felt that this could be abused by non-members of our forum if they found out about the URL.

So I suggested that we instead install a script that takes credentials input by the user (username and password) on the hosting website, and cross-references that information with our database (obviously on a separate server) to look for a match, as well as check if the user is activated and has at least 100 posts, and only if all the if statements return true, the user is then authenticated and granted access permission for the hosting package.

I know how to validate the data, but I do not know how to access a database external to the server, and I did a few Google searches and the information I found did nothing but confuse me.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

晚风撩人 2024-12-16 09:53:50

MySQL 可以以与连接本地主机服务器相同的方式连接到外部服务器:

$conn = mysql_connect('external-server.hostname.example.com', $user, $password);
mysql_select_db($database_name);

外部服务器必须允许来自发出请求的 Web 服务器通过其防火墙的 MySQL 连接,并且它必须有一个用户 webserveruser@webserver-主机名 可以访问需要查询的数据库。

在外部服务器上,假设您只需要对表进行读取 (SELECT) 访问:

GRANT SELECT ON databasename.tablename TO `webserveruser`@`webserver-hostname` IDENTIFIED BY 'thepassword';

MySQL can connect to an external server in the same manner as it connects to the localhost server:

$conn = mysql_connect('external-server.hostname.example.com', $user, $password);
mysql_select_db($database_name);

The external server must allow MySQL connections through its firewall from the web server making the requests, and it must have a user webserveruser@webserver-hostname with access to the database that needs to be queried.

On the external server, assuming you need only read (SELECT) access to a table:

GRANT SELECT ON databasename.tablename TO `webserveruser`@`webserver-hostname` IDENTIFIED BY 'thepassword';
回复 原文
梅倚清风 2024-12-16 09:53:50

对于托管公司来说,似乎最简单的解决方案是单独通过电子邮件向每个人发送一个长而独特的 URL,例如

http://www.myhostingservice.com/refer/80ddca50-f41e-11e0-be50-0800200c9a66/

单击此链接将带您进入他们的注册/购买页面,您将在其中获得特别折扣,然后在购买后一旦创建,该链接就会失效或无效,因此其他人无法使用它。有人随机猜出 URL 的可能性极小。

这比尝试要求系统管理员直接访问他们的数据库要容易得多。唯一的其他选择是数据库/论坛系统管理员编写一个 PHP API 脚本,托管服务可以安全地使用该脚本来检查数据库的凭据,而数据库系统管理员无需透露有关数据库的重要安全详细信息。

It seems like the easiest solution would be for the hosting company to individually email each one of you a long, unique URL like

http://www.myhostingservice.com/refer/80ddca50-f41e-11e0-be50-0800200c9a66/

Clicking this link would take you to their signup/purchase page where you would receive a special discount and then after the purchase is made, the link becomes dead or invalid so no one else could use it. It is extremely unlikely that someone could guess the url randomly.

That would be a lot easier than trying to ask sysadmins for direct access to their databases. The only other alternative would be for the database/forum sysadmin to write a PHP API script that the hosting service can safely use to check the database for credentials without the database sysadmin needing to reveal important security details about the database.

回复 原文
但可醉心 2024-12-16 09:53:50

您应该能够在主机之间远程访问任何 mysql 数据库。我个人知道,我要求他们提供远程连接,他们向我询问他们允许访问的具体 IP 地址。

我还整理了一些代码,以防您对如何实现所需的用户表单/验证感到困惑 - 正如您所说,您的 PHP 知识有限。

假设您有一个与此类似的登录表单

<form action="post" method="checklogin.php">
<input type="username" name="username_input" />
<input type="password" name="password_input" />
<input type="submit" value="Validate Login" name="do_validation" />
</form>

下面是 checklogin.php 的一些 PHP 代码,我将它们与 // 注释放在一起以指导您:

// Get the form data
if ($_POST['do_validation'])
{
    // The correct form was posted, get the form data
    $username = mysql_real_escape_string($_POST['username_input']);
    $password = mysql_real_escape_string($_POST['password_input']);

    // Connect to the database
    mysql_connect ("http://91.0.0.1", "myUsername", "myPassword");

    // Select database
    mysql_select_db('remote_table_name');

    // Check the username and password against database
    $check_credentials = mysql_query("SELECT user_id FROM users WHERE username='$username' AND password='$password'");

    // Check that user exists
    if (mysql_num_rows($check_credentials) == 1)
    {
        $existing_user = mysql_fetch_assoc($check_credentials);
        $existing_user_id = $existing_user_id['user_id'];

        // The user exists, now get ID of posts from another table, using their 'user_id'
        $check_posts = mysql_query("SELECT post_id FROM posts WHERE user_id='$existing_user_id'");

        // Check the number of posts is at least 100
        if ($check_posts >= 100)
        {
            // The user has 100 posts OR MORE
            echo "You are a valid user";

            // Here you could start a session for the user (logging them in), and then show the data that you want

            session_start();
            // Store the user_id of the user in a SESSION
            $_SESSION['user_id'] = $existing_user_id;
        }
    }
}

上面的代码未经测试,几乎不包含任何安全机制,也没有验证。

但它会满足您建议的保护表单的标准。

You should be able to access any mysql database remotely from host to host. I know personally with mine I asked them to make remote connecting available, and they asked me for the specific IP address that they would allow to access it.

I've knocked together a bit of code also in case you're confused about how you would go about achieving the desired form/validation of user that you're after - as you stated that you have limited PHP knowledge.

Presuming that you have a login form similar to this one

<form action="post" method="checklogin.php">
<input type="username" name="username_input" />
<input type="password" name="password_input" />
<input type="submit" value="Validate Login" name="do_validation" />
</form>

Here's some PHP code for checklogin.php that I've thrown together with //comments to guide you:

// Get the form data
if ($_POST['do_validation'])
{
    // The correct form was posted, get the form data
    $username = mysql_real_escape_string($_POST['username_input']);
    $password = mysql_real_escape_string($_POST['password_input']);

    // Connect to the database
    mysql_connect ("http://91.0.0.1", "myUsername", "myPassword");

    // Select database
    mysql_select_db('remote_table_name');

    // Check the username and password against database
    $check_credentials = mysql_query("SELECT user_id FROM users WHERE username='$username' AND password='$password'");

    // Check that user exists
    if (mysql_num_rows($check_credentials) == 1)
    {
        $existing_user = mysql_fetch_assoc($check_credentials);
        $existing_user_id = $existing_user_id['user_id'];

        // The user exists, now get ID of posts from another table, using their 'user_id'
        $check_posts = mysql_query("SELECT post_id FROM posts WHERE user_id='$existing_user_id'");

        // Check the number of posts is at least 100
        if ($check_posts >= 100)
        {
            // The user has 100 posts OR MORE
            echo "You are a valid user";

            // Here you could start a session for the user (logging them in), and then show the data that you want

            session_start();
            // Store the user_id of the user in a SESSION
            $_SESSION['user_id'] = $existing_user_id;
        }
    }
}

The code above is untested, and contains hardly any safety mechanisms and no validation.

But it would fulfil the criteria that you have suggested to protect your form.

回复 原文
~没有更多了~

关于作者

简单气质女生网名

暂无简介

0 文章
0 评论
905 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文