Tutorials to .com

Tutorials to .com » Database » Oracle » The Oracle built-in security features for php

The Oracle built-in security features for php

Print View , by: iSee ,Total views: 12 ,Word Count: 1363 ,Date: Fri, 21 Aug 2009 Time: 3:59 PM

Most Web applications today require at least some basic security policies. For example, to provide a password-protected content using the Web site administrator back-end only with the website, blogs and personal journals, e-commerce website, corporate intranet, and so on.

Construction of these types of Web application design method most commonly used strategy is to integrate security into Web applications, business logic, that is decided by the application whether or not a user have access to a database data. Under such circumstances, the role of the database storage of data and only provide data in accordance with the request. In other words, if the command database Web application to provide specific information, the database will have a direct implementation of the order without checking the user's permission.

In the text, you will learn how to use Oracle's built-in security features in the database application-level implementation of safety rules in order to improve overall application security. As a side benefit, directly in the database for data access security will not only help to improve the security of the application process and help reduce the complexity.

Security on the database client needs

From the Web application control data access what? In most cases there is no problem; This is a good solution, especially in relation to non-mission-critical data or when the top-secret. Many books and online resources are used in the method. In fact, the very popular php / mysql book clearly opposed to each application to create a database of more than one user account, this is because the "additional permissions to users or the complexity of an operation will continue to check more before information on the implementation of reduced speed of MySQL. " This is true; However, to give up the security of the database logic into the idea of the former may have to consider several things. We look at the following examples.

Assumptions to create a content management system (CMS). Which use the database to store the content available on the website. Most of the data are open to the public to allow anonymous Web users to read; but only allows you to edit to change the data. Using a single database account to access and modify records in the database and, through the use of password-protected access to only administrators can access the page with PHP code to control security.

If the Web application is subjected to a public client, such as the public search form (that is, loosely coded form) on the SQL injection attack, the intruder may be able to account to the public can access the database objects to execute arbitrary SQL statements . Of course, on the case here, the implementation of SELECT statement will not cause any major problems, because the data itself is public. However, due to the management of public authority and using the same database account permissions, so the intruder can implement UPDATE and DELETE statements, or even deleted from the database table.

How can we prevent this situation happen? The simplest way is to limit the public database complete account of the authority to amend the data. We take a look at how oracle to solve this problem.

Basic overview of Oracle security

Oracle database for Web developers to control data access of a number of ways, from the management of specific database objects (such as tables, views and processes) to control access to individual rows or columns of data. It is clear that each of the Oracle security features, or to discuss the options available beyond the scope of this article. Here, we will not be involved in too many details, but only data access Oracle introduced the most basic aspects of security:

  • Authentication and user account
  • Permissions
  • Role
Authentication and user account. With other databases, like Oracle for requesting access to each user (database accounts) must be validated. Authentication can be done by the database, operating system or network services do. In addition to basic authentication (password verification) outside, Oracle also supports strong authentication mechanisms such as Kerberos, CyberSafe, RADIUS, and so on.

Role. Oracle is the role of a well-known set of permissions. Although user accounts can be granted permission, but can greatly simplify the use of the role of user management, in particular the need to manage a large number of users. Create easy to manage a small role, and then based on the user's security level granted to the user one or more of the role of the efficiency of doing so is very high. Not to mention how to modify the permissions become simple - just modify the roles associated to the role is no need to change each user account.

In order to simplify the creation of new users initially, Oracle comes with three pre-defined roles:
  • CONNECT role - the role allows the user to connect to database and perform basic operations such as create your own table. By default, the role of other users can not access the table.
  • RESOURCE role - RESOURCE similar role with the CONNECT role, but it allows the user to have more of system privileges, such as the creation of triggers or stored procedures.
  • DBA role - allows the user to have all the system privileges.

Use authorization and permissions

In this section, we will discuss how to use Oracle's authorization and permission to increase at the beginning of this article that discussed a simple example of the safety of CMS. Assumed that the application made available to the user's content is stored in the WEB_CONTENT table.

First of all, create the table. Special Edition start Oracle database, the system logged on as an administrator. If you do not have the release of sample HR users, please release. Installed in accordance with the Special Edition Getting Started Guide included with the instructions. Please note that by default, HR users have been given the role RESOURCE. Here, given the user DBA role, so that you can use the account management CMS database applications has been. Of course, the HR user account will not be used for online access, only use it to manage the database.

Now, you can use the object browser or through the implementation of SQL Commands to create a new table window. The following is the code to create the table:

CREATE TABLE WEB_CONTENT (page_id NUMBER PRIMARY KEY, page_content VARCHAR2 (255)); Since the table is created using the HR user account, and therefore under the table account for all HR and HR mode is located, and grant other users access to clear the table before the authority, other users can not access the table. If not, you can create a new user with the user access table WEB_CONTENT try.


Oracle Tutorial Articles


Can't Find What You're Looking For?


Rating: Not yet rated

Comments

No comments posted.