數據庫數據安全的九個最佳實踐
第 5 章 數據庫安全
目錄html
5.1. 保護表mysql
5.2. 保護表字段git
5.3. 時間一致性程序員
5.4. 爲數據安全而分庫github
5.6. 用戶/角色認證sql
5.8.1. AES_ENCRYPT / AES_DECRYPT服務器
5.1. 保護表
保護表中的數據不被刪除,當記錄被用戶刪除時會提示"Permission denied" 權限拒絕
CREATE DEFINER=`root`@`192.168.%` TRIGGER `member_before_delete` BEFORE DELETE ON `member` FOR EACH ROW BEGIN SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Permission denied', MYSQL_ERRNO = 1001; END
5.2. 保護表字段
經過觸發器,使之沒法修改某些字段的數據,同時不影響修改其餘字段。
DROP TRIGGER IF EXISTS `members`;
SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='';
DELIMITER //
CREATE TRIGGER `members` BEFORE UPDATE ON `members` FOR EACH ROW BEGIN
set new.name = old.name;
set new.cellphone = old.cellphone;
set new.email = old.email;
set new.password = old.password;
END//
DELIMITER ;
SET SQL_MODE=@OLD_SQL_MODE;
再舉一個例子
CREATE TABLE `account` ( `id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT, `user` VARCHAR(50) NOT NULL DEFAULT '0', `cash` FLOAT NOT NULL DEFAULT '0', PRIMARY KEY (`id`) ) COLLATE='utf8_general_ci' ENGINE=InnoDB;
每一次數據變化新增一條數據
INSERT INTO `test`.`account` (`user`, `cash`) VALUES ('neo', -10);
INSERT INTO `test`.`account` (`user`, `cash`) VALUES ('neo', -5);
INSERT INTO `test`.`account` (`user`, `cash`) VALUES ('neo', 30);
INSERT INTO `test`.`account` (`user`, `cash`) VALUES ('neo', -20);
保護用戶的餘額不被修改
DROP TRIGGER IF EXISTS `account`; SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE=''; DELIMITER // CREATE TRIGGER `account` BEFORE UPDATE ON `account` FOR EACH ROW BEGIN set new.cash = old.cash; END// DELIMITER ; SET SQL_MODE=@OLD_SQL_MODE;
5.3. 時間一致性
常常會由於每一個服務器的時間不一樣,致使插入數據有問題,雖然能夠採用ntp服務同步時間,但因爲各類因素仍然會出問題,怎麼解決?我建議以數據庫時間爲準。
MySQL 5.6 以前的版本
默認值爲當前時間
CREATE TABLE `tdate` ( `id` INT(11) NOT NULL AUTO_INCREMENT, `ctime` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '建立時間', `mtime` TIMESTAMP NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT '修改時間', PRIMARY KEY (`id`) ) COLLATE='utf8_general_ci' ENGINE=InnoDB;
MySQL不容許一個表拿有兩個默認時間。我一沒法兼顧修改時間,咱們捨棄建立時間,當有數據變化ON UPDATE CURRENT_TIMESTAMP自動修改時間
CREATE TABLE `tdate` ( `id` INT(11) NOT NULL AUTO_INCREMENT, `ctime` TIMESTAMP NOT NULL DEFAULT '0000-00-00 00:00:00' COMMENT '建立時間', `mtime` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '修改時間', PRIMARY KEY (`id`) ) COLLATE='utf8_general_ci' ENGINE=InnoDB;
插入建立時間 insert into tdate(ctime) values(CURRENT_TIMESTAMP); 不要採用 insert into tdate(ctime) values('2013-12-02 08:20:06');這種方法,儘可能讓數據庫處理時間。
MySQL 5.6 以後版本,能夠實現建立時間爲系統默認,修改時間建立的時候默認爲空,當修改數據的時候更新時間。
CREATE TABLE `tdate` ( `id` INT(11) NOT NULL AUTO_INCREMENT, `ctime` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '建立時間', `mtime` TIMESTAMP NULL DEFAULT NULL ON UPDATE CURRENT_TIMESTAMP COMMENT '修改時間', PRIMARY KEY (`id`) ) COLLATE='utf8_general_ci' ENGINE=InnoDB;
5.4. 爲數據安全而分庫
咱們一般使用一個數據庫開發,該數據庫包含了先後臺全部的功能,我建議將先後臺等等功能進行分庫而後對應各類平臺分配用戶權限,例如
咱們建立三個數據庫cms,frontend,backend 同時對應建立三個用戶 cms,frontend,backend 三個用戶只能分別訪問本身的數據庫,注意在系統的設計之初你要考慮好這樣的劃分隨之系統須要作相應的調整。
CREATE DATABASE `cms` /*!40100 COLLATE 'utf8_general_ci' */; CREATE DATABASE `frontend` /*!40100 COLLATE 'utf8_general_ci' */; CREATE DATABASE `backend` /*!40100 COLLATE 'utf8_general_ci' */;
backend 負責後臺,權限最高
mysql> SHOW GRANTS FOR 'backend'@'localhost'; +--------------------------------------------------------------------------------------+ | Grants for backend@localhost | +--------------------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'backend'@'localhost' | | GRANT SELECT, INSERT, UPDATE, DELETE ON `cms`.* TO 'backend'@'localhost' | | GRANT SELECT, INSERT, UPDATE, DELETE ON `frontend`.* TO 'backend'@'localhost' | | GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON `backend`.* TO 'backend'@'localhost' | +--------------------------------------------------------------------------------------+ 4 rows in set (0.04 sec)
frontend 是前臺權限,主要是用戶用戶中心,用戶註冊,登陸,用戶信息資料編輯,查看新聞等等
mysql> SHOW GRANTS FOR 'frontend'@'localhost'; +------------------------------------------------------------------------+ | Grants for frontend@localhost | +------------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'frontend'@'localhost' | | GRANT SELECT, INSERT, UPDATE ON `frontend`.* TO 'frontend'@'localhost' | | GRANT SELECT ON `cms`.`news` TO 'frontend'@'localhost' | +------------------------------------------------------------------------+ 3 rows in set (0.00 sec)
cms 用戶是網站內容管理,主要負責內容更新,但登錄CMS後臺須要`backend`.`Employees`表用戶認證,因此他須要讀取權限,但不容許修改其中的數據。
mysql> SHOW GRANTS FOR 'cms'@'localhost'; +----------------------------------------------------------------------+ | Grants for cms@localhost | +----------------------------------------------------------------------+ | GRANT USAGE ON *.* TO 'cms'@'localhost' | | GRANT SELECT, INSERT, UPDATE, DELETE ON `cms`.* TO 'cms'@'localhost' | | GRANT SELECT ON `backend`.`Employees` TO 'cms'@'localhost' | +----------------------------------------------------------------------+ 3 rows in set (0.00 sec)
5.5. 內容版本控制,撰改留痕
主表
CREATE TABLE `article` ( `article_id` MEDIUMINT(8) UNSIGNED NOT NULL AUTO_INCREMENT, `cat_id` SMALLINT(5) NOT NULL DEFAULT '0', `title` VARCHAR(150) NOT NULL DEFAULT '', `content` LONGTEXT NOT NULL, `author` VARCHAR(30) NOT NULL DEFAULT '', `keywords` VARCHAR(255) NOT NULL DEFAULT '', PRIMARY KEY (`article_id`), INDEX `cat_id` (`cat_id`) ) ENGINE=MyISAM ROW_FORMAT=DEFAULT AUTO_INCREMENT=1
用於記錄每次修改變更,經過該表,能夠追朔數據庫記錄被何時修改過,修改了那些內容。
CREATE TABLE `article_history` ( `id` MEDIUMINT(8) UNSIGNED NOT NULL AUTO_INCREMENT, `article_id` MEDIUMINT(8) UNSIGNED NOT NULL, `cat_id` SMALLINT(5) NOT NULL DEFAULT '0', `title` VARCHAR(150) NOT NULL DEFAULT '', `content` LONGTEXT NOT NULL, `author` VARCHAR(30) NOT NULL DEFAULT '', `keywords` VARCHAR(255) NOT NULL DEFAULT '', PRIMARY KEY (`id`), INDEX `article_id` (`article_id`) ) ENGINE=MyISAM ROW_FORMAT=DEFAULT AUTO_INCREMENT=1
版本控制觸發器
DROP TRIGGER article_history; DELIMITER // CREATE TRIGGER article_history BEFORE update ON article FOR EACH ROW BEGIN INSERT INTO article_history SELECT * FROM article WHERE article_id = OLD.article_id; END; // DELIMITER;
進一步優化,咱們能夠爲 history 歷史表增長時間字段,用於記錄被撰改那一時刻的時間。
CREATE TABLE `article_history` ( `id` MEDIUMINT(8) UNSIGNED NOT NULL AUTO_INCREMENT, `article_id` MEDIUMINT(8) UNSIGNED NOT NULL, `cat_id` SMALLINT(5) NOT NULL DEFAULT '0', `title` VARCHAR(150) NOT NULL DEFAULT '', `content` LONGTEXT NOT NULL, `author` VARCHAR(30) NOT NULL DEFAULT '', `keywords` VARCHAR(255) NOT NULL DEFAULT '', `ctime` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'Created Time', `mtime` timestamp NULL DEFAULT NULL ON UPDATE CURRENT_TIMESTAMP COMMENT 'Modified Time', PRIMARY KEY (`id`), INDEX `article_id` (`article_id`) ) ENGINE=MyISAM ROW_FORMAT=DEFAULT AUTO_INCREMENT=1
咱們還能夠爲該表(article_history)增長出發器,任何修改將被拒絕.
5.6. 用戶/角色認證
本小節咱們實現一個功能,當用戶插入,修改或者刪除數據時,判斷該操做是否具有應有的權限。若是權限不符合就拒絕操做同時提示用戶。
CREATE TABLE `staff` ( `id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT COMMENT '員工ID', `name` VARCHAR(50) NOT NULL COMMENT '員工名字', PRIMARY KEY (`id`) ) COMMENT='員工表' COLLATE='utf8_general_ci' ENGINE=InnoDB; INSERT INTO `staff` (`id`, `name`) VALUES (1, 'Neo'), (2, 'Luke'), (2, 'Jack');
staff 是員工表與下面的staff_has_role配合使用,造成員工與權限一對多關係。
CREATE TABLE `staff_has_role` (
`id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
`staff_id` INT(10) UNSIGNED NOT NULL COMMENT '員工ID',
`role` ENUM('Create','Update','Delete') NOT NULL COMMENT '角色',
PRIMARY KEY (`id`),
INDEX `FK_staff_has_role_staff` (`staff_id`),
CONSTRAINT `FK_staff_has_role_staff` FOREIGN KEY (`staff_id`) REFERENCES `staff` (`id`) ON UPDATE CASCADE ON DELETE CASCADE
)
COLLATE='utf8_general_ci'
ENGINE=InnoDB;
INSERT INTO `staff_has_role` (`id`, `staff_id`, `role`) VALUES
(1, 1, 'Create'),
(2, 1, 'Delete'),
(3, 1, 'Update'),
(4, 2, 'Delete'),
(5, 3, 'Create');
(6, 3, 'Update');
權限表能夠進一步優化,角色擁有組功能,實現顆粒度更細的權限控制,有情趣看前面的相關章節。
CREATE TABLE `product` ( `id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT COMMENT '惟一ID', `name` VARCHAR(10) NOT NULL COMMENT '名稱', `sn` VARCHAR(10) NOT NULL COMMENT '序列號', `price` FLOAT NOT NULL COMMENT '價格', `amount` SMALLINT(6) NOT NULL COMMENT '數量', `staff_id` INT(10) UNSIGNED NOT NULL COMMENT '員工ID', `ctime` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '建立時間', `mtime` TIMESTAMP NULL DEFAULT NULL ON UPDATE CURRENT_TIMESTAMP COMMENT '修改時間', PRIMARY KEY (`id`), UNIQUE INDEX `sn` (`sn`), INDEX `FK_product_staff` (`staff_id`), CONSTRAINT `FK_product_staff` FOREIGN KEY (`staff_id`) REFERENCES `staff` (`id`) ) COMMENT='產品表' COLLATE='utf8_general_ci' ENGINE=InnoDB;
以產品表爲例,這裏要實現的是對產品表記錄的權限控制。例如Neo有用插入,修改和刪除權限,Luke的Create與Update權限被吊銷,只能刪除他以前建立的數據。而Jack只有能建立於更新數據。
下面的三個觸發器完成具體的權限控制。一樣你能夠進一步優化下面的代碼的權限顆粒度,使之能控制到具體列,甚至具體的記錄。
CREATE DEFINER=`root`@`%` TRIGGER `product_before_delete` BEFORE DELETE ON `product` FOR EACH ROW BEGIN if not exists(select id from staff where id=OLD.staff_id and role="delete") then SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Permission denied', MYSQL_ERRNO = 1001; end if; END CREATE DEFINER=`root`@`%` TRIGGER `product_before_insert` BEFORE INSERT ON `product` FOR EACH ROW BEGIN if not exists(select id from staff where id=NEW.staff_id and role="create") then SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = "The staff's role is not correct or it does not exist.", MYSQL_ERRNO = 1001; end if; END CREATE DEFINER=`root`@`%` TRIGGER `product_before_update` BEFORE UPDATE ON `product` FOR EACH ROW BEGIN if not exists(select id from staff where id=NEW.staff_id and role="update") then SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = "The staff's role cannot update data.", MYSQL_ERRNO = 1001; end if; END
Neo 測試以下
INSERT INTO `test`.`product` (`name`, `sn`, `price`, `amount`, `staff_id`, `ctime`) VALUES ('Iphone', '678624', '5000', '77', '1', '2010-08-18 15:38:23');
SELECT LAST_INSERT_ID();
UPDATE `test`.`product` SET `name`='HTC', `sn`='5544467', `price`='2000' WHERE `id`=2;
DELETE FROM `test`.`product` WHERE `id`=1;
Luke 測試以下:
INSERT INTO `test`.`product` (`name`, `sn`, `price`, `amount`, `staff_id`) VALUES ('Nokia', '65722', '800', '55', '2');
/* SQL錯誤(1001):The staff's role is not correct or it does not exist. */
UPDATE `test`.`product` SET `name`='HTC', `sn`='5544467', `price`='2000', staff_id=2 WHERE `id`=2;
/* SQL錯誤(1001):The staff's role cannot update data. */
5.7. Token 認證
咱們在staff表的基礎上增長 token 字段
CREATE TABLE `staff` ( `id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT COMMENT '員工ID', `name` VARCHAR(50) NOT NULL COMMENT '員工名字', `token` VARCHAR(32) NOT NULL COMMENT 'Token 校驗', PRIMARY KEY (`id`) ) COMMENT='員工表' COLLATE='utf8_general_ci' ENGINE=InnoDB;
插入數據的時候增長一些干擾字符串,這裏使用concat(NEW.id,'+',NEW.name,'-')
CREATE DEFINER=`root`@`%` TRIGGER `staff_before_insert` BEFORE INSERT ON `staff` FOR EACH ROW BEGIN if md5(concat(NEW.id,'+',NEW.name,'-')) != NEW.token then SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'Permission denied', MYSQL_ERRNO = 1001; end if; END
注意表權限能夠受權給用戶,觸發器權限不讓普通用戶查看。不然用戶看到 concat(NEW.id,'+',NEW.name,'-') 就沒有意義了。
下面開始測試:
INSERT INTO `test`.`staff` (`name`, `token`) VALUES ('John', '678797066');
/* SQL錯誤(1001):Permission denied */
下面再測試,首先生成一個正確的tokon, 而後使用該token插入數據:
-- 經過下面語句生成一個 Token
select md5(concat('5','+','Jam','-')) as token;
-- 使用上面的 Token 插入數據
INSERT INTO `test`.`staff` (`id`, `name`, `token`) VALUES (5, 'Jam', '1b033ce21cbadacabc9f0c38fb58dbb2');
SELECT * FROM `test`.`staff` WHERE `id` = 5;
開發注意事項, Token 生成算法要保密,不要使用下面SQL提交數據
INSERT INTO `test`.`staff` (`id`, `name`, `token`) VALUES (5, 'Jam', md5(concat('5','+','Jam','-')));
應該分兩步,一是計算Token,二是插入數據。能夠將Token計算交給程序而不是SQL,而且封裝在。jar(Java)中或者。so(PHP 擴展中).
5.8. 數據加密
數據庫中有不少敏感字段,不容許隨意查看,例如開發人員,運維人員,甚至DBA數據庫管理員。另外加密主要是防止被黑客脫庫(盜走)
敏感數據加密有不少辦法,能夠用數據庫內部加密函數,也能夠在外部處理後寫入數據庫。加密算法有不少種,但一般兩類比較經常使用,一種是經過key加密解密,另外一種是經過證書加密解密。
一般程序員負責寫程序,程序交給運維配置,運維將key設置好,運維不能有數據庫權限,DBA只能登錄數據庫,沒有key權限。
5.8.1. AES_ENCRYPT / AES_DECRYPT
這裏介紹AES加密與解密簡單用法
mysql> select AES_ENCRYPT('helloworld','key');
+---------------------------------+
| AES_ENCRYPT('helloworld','key') |
+---------------------------------+
| |
+---------------------------------+
1 row in set (0.00 sec)
mysql> select AES_DECRYPT(AES_ENCRYPT('helloworld','key'),'key');
+----------------------------------------------------+
| AES_DECRYPT(AES_ENCRYPT('helloworld','key'),'key') |
+----------------------------------------------------+
| helloworld |
+----------------------------------------------------+
1 row in set (0.00 sec)
mysql>
5.8.2. 加密字段
加密數據入庫
CREATE TABLE `encryption` (
`mobile` VARBINARY(16) NOT NULL,
`key` VARCHAR(32) NOT NULL
)
ENGINE=InnoDB;
INSERT INTO encryption(`mobile`,`key`)VALUES( AES_ENCRYPT('13691851789',md5('13691851789')), md5('13691851789'))
select AES_DECRYPT(mobile,`key`), length(mobile) from encryption;
這裏方便演示將key 寫入了數據庫,實際應用key應該存儲在應用程序配置文件中。一般能把得到key的人不該該用數據庫權限。
5.9. 開發加密插件開發
數據庫內部提供的摘要函數MD5/SHA/CRC與現有的AES/DES加密函數以及不能知足咱們的需求,因此咱們有必要開發外掛插件實現數據加密。
這裏有一個例子,是我早年開發的 https://github.com/netkiller/mysql-safenet-plugin 這個UDF是連接 Safenet設備,實現數據庫加密記錄。
saftnet.h
my_bool safenet_encrypt_init(UDF_INIT *initid, UDF_ARGS *args, char *message); char *safenet_encrypt(UDF_INIT *initid, UDF_ARGS *args, char *result, unsigned long *length, char *is_null, char *error); void safenet_encrypt_deinit(UDF_INIT *initid); my_bool safenet_decrypt_init(UDF_INIT *initid, UDF_ARGS *args, char *message); char *safenet_decrypt(UDF_INIT *initid, UDF_ARGS *args, char *result, unsigned long *length, char *is_null, char *error); void safenet_decrypt_deinit(UDF_INIT *initid); my_bool safenet_config_init(UDF_INIT *initid, UDF_ARGS *args, char *message); char *safenet_config(UDF_INIT *initid, UDF_ARGS *args, char *result, unsigned long *length, char *is_null, char *error); void safenet_config_deinit(UDF_INIT *initid);
safenet.c
/*
Homepage: http://netkiller.github.io/
Author: netkiller<netkiller@msn.com>
*/
#include <mysql.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <curl/curl.h>
#include "safenet.h"
#define SAFENET_URL "http://localhost/safe/interface"
#define SAFENET_KEY "Web01-key"
char *safe_url;
char *safe_key;
void get_safenet_env(){
if (getenv("SAFENET_URL")){
safe_url = getenv("SAFENET_URL");
}else{
safe_url = SAFENET_URL;
}
if (getenv("SAFENET_KEY")){
safe_key = getenv("SAFENET_KEY");
}else{
safe_key = SAFENET_KEY;
}
}
/* CURL FUNCTION BEGIN*/
struct string {
char *ptr;
size_t len;
};
void init_string(struct string *s) {
s->len = 0;
s->ptr = malloc(s->len+1);
if (s->ptr == NULL) {
fprintf(stderr, "malloc() failed\n");
exit(EXIT_FAILURE);
}
s->ptr[0] = '\0';
}
size_t writefunc(void *ptr, size_t size, size_t nmemb, struct string *s)
{
size_t new_len = s->len + size*nmemb;
s->ptr = realloc(s->ptr, new_len+1);
if (s->ptr == NULL) {
fprintf(stderr, "realloc() failed\n");
exit(EXIT_FAILURE);
}
memcpy(s->ptr+s->len, ptr, size*nmemb);
s->ptr[new_len] = '\0';
s->len = new_len;
return size*nmemb;
}
char * safenet(char *url, char *mode, char *key, char *in )
{
CURL *curl;
CURLcode res;
char *fields;
char *data;
// curl_global_init(CURL_GLOBAL_ALL);
/* get a curl handle */
curl = curl_easy_init();
if(curl) {
struct string s;
init_string(&s);
asprintf(&fields, "mode=%s&keyname=%s&input=%s", mode, key, in);
curl_easy_setopt(curl, CURLOPT_URL, url);
curl_easy_setopt(curl, CURLOPT_USERAGENT, "safenet/1.0 by netkiller <netkiller@msn.com>");
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, fields);
/* Perform the request, res will get the return code */
res = curl_easy_perform(curl);
/* Check for errors */
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
asprintf(&data, "%s", s.ptr);
//printf("Encrypt: %s\n", data);
free(s.ptr);
/* always cleanup */
curl_easy_cleanup(curl);
}
else{
strcpy(data,"");
}
return data;
//curl_global_cleanup();
}
/* CURL FUNCTION END*/
/* ------------------------ safenet encrypt ----------------------------- */
my_bool safenet_encrypt_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
if (args->arg_count != 1)
{
strncpy(message,
"two arguments must be supplied: safenet_encrypt('<data>').",
MYSQL_ERRMSG_SIZE);
return 1;
}
get_safenet_env();
args->arg_type[0]= STRING_RESULT;
return 0;
}
char *safenet_encrypt(UDF_INIT *initid, UDF_ARGS *args,
__attribute__ ((unused)) char *result,
unsigned long *length,
__attribute__ ((unused)) char *is_null,
__attribute__ ((unused)) char *error)
{
char *data;
data = safenet(safe_url, "encrypt", safe_key, args->args[0]);
*length = strlen(data);
return ((char *)data);
}
void safenet_encrypt_deinit(UDF_INIT *initid)
{
return;
}
/* ------------------------ safenet decrypt ----------------------------- */
my_bool safenet_decrypt_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
if (args->arg_count != 1)
{
strncpy(message,
"two arguments must be supplied: safenet_decrypt('<data>').",
MYSQL_ERRMSG_SIZE);
return 1;
}
get_safenet_env();
args->arg_type[0]= STRING_RESULT;
return 0;
}
char *safenet_decrypt(UDF_INIT *initid, UDF_ARGS *args,
__attribute__ ((unused)) char *result,
unsigned long *length,
__attribute__ ((unused)) char *is_null,
__attribute__ ((unused)) char *error)
{
char *data;
if(strlen(args->args[0]) != 512){
data = args->args[0];
}else{
data = safenet(safe_url, "decrypt", safe_key, args->args[0]);
}
*length = strlen(data);
return ((char *)data);
}
void safenet_decrypt_deinit(UDF_INIT *initid)
{
return;
}
/* ------------------------ safenet config ----------------------------- */
my_bool safenet_config_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
get_safenet_env();
return 0;
}
char *safenet_config(UDF_INIT *initid, UDF_ARGS *args,
__attribute__ ((unused)) char *result,
unsigned long *length,
__attribute__ ((unused)) char *is_null,
__attribute__ ((unused)) char *error)
{
char *config;
asprintf(&config, "SAFENET_URL=%s, SAFENET_KEY=%s", safe_url, safe_key);
*length = strlen(config);
return ((char *)config);
}
void safenet_config_deinit(UDF_INIT *initid)
{
return;
}
CMakeLists.txt
cmake_minimum_required(VERSION 2.8) PROJECT(safenet) ADD_LIBRARY(safenet SHARED safenet.c) INCLUDE_DIRECTORIES(/usr/include/mysql) TARGET_LINK_LIBRARIES(safenet curl) INSTALL(PROGRAMS libsafenet.so DESTINATION /usr/lib64/mysql/plugin/)
Installation Plugin
yum install -y libcurl-devel cd src cmake . make make install cat > /etc/sysconfig/mysqld <<EOF export SAFENET_URL=http://host.localdomain/safe/interface export SAFENET_KEY=Web01-key EOF
Create Function
create function safenet_encrypt returns string soname 'libsafenet.so'; create function safenet_decrypt returns string soname 'libsafenet.so'; create function safenet_config returns string soname 'libsafenet.so';
Example
mysql> select safenet_encrypt('Helloworld!!!');
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| safenet_encrypt('Helloworld!!!') |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 994BAB7BC417F0559A09ECE94EDCB695AC1D5705F7ABA9F3562158F5AFAC4720FA9B3E53F30DF65C1726E0F02A93A9CAE7E486349F41AE4F504DC2B49F809C5AF77FEF4DE49D03D8DEC4000B15F2F2A2296500AA6159491E65DEFDFE75FB2E79D31D9BF0CC67932ADA212C34C0B04BF30F222102FAD857F440404C0FE92B8626EA3126B0B5A4FA0B1D09F1CC9EF45EBB6A72123AE82D39F659C717A5AA4F7FB5BDBBC7977C7021F61BBC26B9DB78C9A8657C6BC291CAE5C07F9DF485D71A1E9CC8888793B03BB5AF2DDB57AAEFB6D2EA569226651092414F96BA0880B35B0D8A01A1F7B82C308A2316D07C0FD4E0A298ECB33F4E4EB9F1A1E53760B0BFBE7449 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.58 sec)
mysql> select safenet_decrypt(safenet_encrypt('Helloworld!!!'));
+---------------------------------------------------+
| safenet_decrypt(safenet_encrypt('Helloworld!!!')) |
+---------------------------------------------------+
| Helloworld!!! |
+---------------------------------------------------+
1 row in set (0.31 sec)
mysql> select safenet_config();
Drop Function
drop function safenet_encrypt; drop function safenet_decrypt; drop function safenet_config;
做者公衆號
相關文章
- 1. MySQL數據庫十個最佳實踐
- 2. SQLite 數據庫的最佳實踐
- 3. android: SQLite 數據庫的最佳實踐
- 4. 數據庫安全需要遵循的8項最佳實踐
- 5. PHP最佳實踐之數據庫
- 6. 阿里數據庫DevOps最佳實踐
- 7. MySQL 數據庫優化最佳實踐
- 8. 數據庫varchar長度最佳實踐
- 9. SaaS 模式雲數據倉庫 MaxCompute 數據安全最佳實踐
- 10. 企業中臺最佳實踐--阿里數據中臺最佳實踐(九)
- 更多相關文章...
- • AJAX 數據庫實例 - ASP 教程
- • 數據庫是什麼?數據庫的概念 - MySQL教程
- • TiDB 在摩拜單車在線數據業務的應用和實踐
- • Flink 數據傳輸及反壓詳解
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
