Database connection class suggestions
I created this class to connect to my database and read somewhere that having different users for the connection is the most secure. So I made a user for the four different options I use at the moment one for Update, Select, Delete, and Insert. I wasn't really sure if it was necessary to create a user for each one of these. I am basically wondering what I could do to improve this class. I know these questions have appeared a lot on here but everyone's class seems to be different, so I figured I'd ask.
Here is the pastebin for the code.. Its very long otherwise I'd just post it here. If pastebin is an issue I'll add the code anyway.
(edit by ninetwozero: put the code inline)
<?php
class DB_Connection {
//Subject to change
protected $_DATABASE = '#';
protected $_HOST = '#';
protected $_SELECT = array( 'connection' => null,
'user' => '#',
'pass' => '#',
'alive' => FALSE,
'thread' => '' );
protected $_INSERT = array( 'connection' => null,
'user' => '#',
'pass' => '#',
'alive' => FALSE,
'thread' => '' );
protected $_DELETE = array( 'connection' => null,
'user' => '#',
'pass' => '#',
'alive' => FALSE,
'thread' => '' );
protected $_UPDATE = array( 'connection' => null,
'user' => '#',
'pass' => '#',
'alive' => FALSE,
'thread' => '' );
/**
* Take an input and create that connection and connect to the database
* using the appropriate logins
* @param $type - Type of connection; SELECT, UPDATE, DELETE, INSERT
*/
public function __construct( $type ) {
switch($type) {
case "SELECT":
// Create the connection
$this->_SELECT['connection'] = new mysqli($this->_HOST,
$this->_SELECT['user'],
$this->_SELECT['pass'],
$this->_DATABASE );
// State that the connection is alive
$this->_SELECT['alive'] = TRUE;
// Put in the thread ID that is created when the connection is established
$this->_SELECT['thread'] = $this->_SELECT['connection']->thread_id;
// Verify that the connection was successfull
i开发者_如何学Gof($this->_SELECT['connection']->connect_error) {
die('Connection error: ' . $this->_SELECT['connection']->connect_errorno . ' ' .
$this->_SELECT['connection']->connect_error );
//TODO Create better error handling
} else {
echo "connection worked somehow.<br />";
}
case "INSERT":
// Create the connection
$this->_INSERT['connection'] = new mysqli($this->_HOST,
$this->_INSERT['user'],
$this->_INSERT['pass'],
$this->_DATABASE );
// State that the connection is alive
$this->_INSERT['alive'] = TRUE;
// Put in the thread ID that is created when the connection is establishedq
$this->_INSERT['thread'] = $this->_INSERT['connection']->thread_id;
// Verify that the connection was successfull
if($this->_INSERT['connection']->connect_error) {
die('Connection error: ' . $this->_INSERT['connection']->connect_errorno . ' ' .
$this->_INSERT['connection']->connect_error );
//TODO Create better error handling
} else {
echo "connection worked somehow.<br />";
}
case "DELETE":
// Create the connection
$this->_DELETE['connection'] = new mysqli($this->_HOST,
$this->_DELETE['user'],
$this->_DELETE['pass'],
$this->_DATABASE );
// State that the connection is alive
$this->_DELETE['alive'] = TRUE;
// Put in the thread ID that is created when the connection is establishedq
$this->_DELETE['thread'] = $this->_DELETE['connection']->thread_id;
// Verify that the connection was successfull
if($this->_DELETE['connection']->connect_error) {
die('Connection error: ' . $this->_DELETE['connection']->connect_errorno . ' ' .
$this->_DELETE['connection']->connect_error );
//TODO Create better error handling
} else {
echo "connection worked somehow.<br />";
}
case "UPDATE":
// Create the connection
$this->_UPDATE['connection'] = new mysqli($this->_HOST,
$this->_UPDATE['user'],
$this->_UPDATE['pass'],
$this->_DATABASE );
// State that the connection is alive
$this->_UPDATE['alive'] = TRUE;
// Put in the thread ID that is created when the connection is establishedq
$this->_UPDATE['thread'] = $this->_UPDATE['connection']->thread_id;
// Verify that the connection was successfull
if($this->_UPDATE['connection']->connect_error) {
die('Connection error: ' . $this->_UPDATE['connection']->connect_errorno . ' ' .
$this->_UPDATE['connection']->connect_error );
//TODO Create better error handling
} else {
echo "connection worked somehow.<br />";
}
}// END CASE
}// END _construct
public function get_Select_Con() {
return $this->_SELECT['connection'];
}
public function get_Insert_Con() {
return $this->_INSERT['connection'];
}
public function get_Delete_Con() {
return $this->_DELETE['connection'];
}
public function get_Update_Con() {
return $this->_UPDATE['connection'];
}
/**
* Kill the threads and close the connection
*/
public function __destruct() {
if ($this->_SELECT['alive'] == TRUE) {
$this->_SELECT['connection']->kill($this->_SELECT['thread']);
$this->_SELECT['connection']->close();
echo " thread killed and connection closed";
}
if ($this->_INSERT['alive'] == TRUE) {
$this->_INSERT['connection']->kill($this->_INSERT['thread']);
$this->_INSERT['connection']->close();
echo " thread killed and connection closed";
}
if ($this->_DELETE['alive'] == TRUE) {
$this->_DELETE['connection']->kill($this->_DELETE['thread']);
$this->_DELETE['connection']->close();
echo " thread killed and connection closed";
}
if ($this->_UPDATE['alive'] == TRUE) {
$this->_UPDATE['connection']->kill($this->_UPDATE['thread']);
$this->_UPDATE['connection']->close();
echo " thread killed and connection closed";
}
}// END _destruct
}
?>
http://pastebin.com/F4e4Yz5r
You probably haven't understood things correctly. Database access should, most of the time, be made inside a transaction, which guaranteed ACIDity. And in the same transaction, you'll have selects, inserts, updates and deletes. Having 4 different users (and thus 4 seperate connections, and thus 4 separate transactions) for each kind of operation is just a VERY bad idea.
The limitations on actions a certain user can perform should not be delegated to the code, but managed by the database server itself, through its permissions management. Even with a very (too??) coarse grained permission schema here it gets pretty messy very quickly, as your code proves. Now imagine that you need to manage these rights on a per-table base...
As others already said, I would stick to an existing database connection solution and learn how to use the permission system of a database to its best potential, eg by letting the application that just shows data run as a user with just read permissions, etc.
If you are going to create different database users then these should be for the different kinds (and levels) of users that use your application, not one for each permission on the database, since a single user will probably want to do all the above at some point... but only on certain tables. So you could create different users for Guests, Authenticated Users, Admins, etc. For example, Guests won't be able to UPDATE (or even SELECT?) the user_profiles table.
And as mentioned in my comment... You shouldn't be storing your db connection parameters inside the class itself. These should be read in from a secure location (perhaps above the web root), so that if PHP is compromised your DB isn't as well.
加载中,请稍侯......
精彩评论