Database connection Supernatural incident discussion, Senior Master Please enter, emergency help!
As a SaaS-mode ERP system, the current practice is to create a database for each enterprise, but a common set of PHP scripts. For example, my SaaS client has 50 companies, which equals I built 50 db in MySQL, the data structure is the same. Then the PHP script is a set, so the upgrade is convenient, modify a place, equal to 50 sets of systems are upgraded.
Each enterprise login on the first page, I gave them a session[' db ', in the PHP connection database script, the connection DB name =session[' db ', so that the enterprise fixed in that database and delete and change.
Now the supernatural event is the occasional serial number phenomenon. For example, A Enterprise, when he first login, set session[' DB ' = ' A ', and then login, to the name of a database check user name password, and then continue to delete and change is a database table. But occasionally appear, a enterprise login, refresh, suddenly become a B enterprise data, and then refresh the C enterprise data appears. I was wondering, connection, DB has been fixed dead to a, why the string into the data of other databases?
I analyze it myself for the first time because the scripts are the same, meaning the URLs are the same. Theoretically, session[' db '] are not the same, each time the page opens itself is connected to their own, should also have no problem, since the serial number, I suspect that the cache caused. Later on the network on a check, as if 360 browser was reported to upload user privacy, chain cookies are also uploaded, when thinking is not 360 browser this action caused.
The first response, I use the domain name Pan-resolution, the site of each enterprise changed to a different, that is, a enterprise's website is a.xxx.com b Enterprise is b.xxx.com, but the overall framework is the same, PHP script is the same set. In this case 360 even if the cookie upload to his server cache, the URL is not the same, there is no serial number it? But it turns out that I was wrong again. In the afternoon, a customer calls to say how to see other company data in his system. I'm completely out of my mind.
My own second analysis, I suspect is not mysql_pconnect () connection caused by? I was thinking. A enterprise establishes a persistent database connection. B Enterprise Login is also Mysql_pconnect (), Apache will not directly take a enterprise established connection to B enterprise use? So I immediately changed the pconnect to connect at night. But still worry, feel the problem is not so simple, this data string number for a commercial software, the consequences are too serious. I spent too much effort in it, maybe fall short.
Once again begged the master to help me analyze, how can appear this peculiar phenomenon? I have repeatedly suspected caching reasons, but even if the cache page is displayed, it should not be able to modify each other, so the feeling problem still appears on the database connection?
My QQ is 13676987, Hangzhou, looking forward to communicate with the master!
------Solution--------------------
1.session[' DB '] is $_session[' db '?
2. Why write dbname in the session?
Why not have a site with a config file to record different information, for example, each site has a config.php,
Define (' DBNAME ', ' db1 ');
3. Is your session saved in DB?
------Solution--------------------
If so, then the 50 virtual host should be different.
Using the Apache ENV module, using the method see my previous article: http://blog.csdn.net/fdipzone/article/details/9388959
In virtual host, add the
SETENV DBNAME DB1
Different virtual host values are set differently.
And then set the dbname where Config was originally.
For example: $dbname = ' DB1 '; instead $dbname = $_server[' dbname ');
------Solution--------------------
Tips: Data saved with ENV can only be read in the Web and not read in PHP CLI mode, please use it according to your specific requirements.
------Solution--------------------
A database long connection is reused for a connection to the database server, but does not reuse the connection to the database
From
about how to see other company data in his system .Start
From the "First response, I use domain name Pan-resolution", you know that your user authentication is independent. SSO is very popular now, do not rule out that you are also using
Since several companies can use the same set of software without modification (including the interface), it is visible that these companies are engaged in the same industry. So we can't rule out company A who knows the login password of company B.
With a multi-tab browser, on the A tab, log on to company B on the b tab. Go back to the A tab and you'll see Company B's data.
Because the multiple tabs share a cookie, the SessionID of a setting is modified by B
The fact that the incoming data is unconditionally trusted is the basis for the CSRF attack
When using the two-level domain name method, the cookie is not shared because the domain name is different. However, if the single sign-on, the relationship between the trust domain, the situation will not have any change
At present too many people do not believe in the ability of the database, like to get a data cache and other things (afraid of the database exhausted, compassionate spirit commendable)
The data cache is distinguished by query name, and it is normal to confuse the data affiliation in your system by the name of the library.
------Solution--------------------
References:
A database long connection is reused for a connection to the database server, but does not reuse the connection to the database
Start by
saying how to see other companies ' data in his system :
From the "First response, I use domain name Pan-resolution", you know that your user authentication is independent. SSO is very popular now, do not rule out that you are also using
Since several companies can use the same set of software without modification (including the interface), it is visible that these companies are engaged in the same industry. So we can't rule out company A who knows the login password of company B.
With a multi-tab browser, on the A tab, log on to company B on the b tab. Go back to the A tab and you'll see Company B's data.
Because the multiple tabs share a cookie, the SessionID of a setting is modified by B
The fact that the incoming data is unconditionally trusted is the basis for the CSRF attack
When using the two-level domain name method, the cookie is not shared because the domain name is different. However, if the single sign-on, the relationship between the trust domain, the situation will not have any change
At present too many people do not believe in the ability of the database, like to get a data cache and other things (afraid of the database exhausted, compassionate spirit commendable)
The data cache is distinguished by query name, and it is normal to confuse the data affiliation in your system
by the name of the library.
Does this mean that the problem is in the cache? Do you not have this problem if you are not even getting the database every time?
------Solution--------------------
If you don't use a cache, you get rid of one aspect of the problem that might exist
If you do not trust $_session[' db ', but have at least one means of judging the user's source, then you can remove one aspect of the problem that may exist
When you've ruled out any known possible problems, the problem has not been solved.
That is, there is an unknown potential problem, and that is the question to be discussed.
The landlord is also this meaning, he wants you to know the possible problems of the aspects listed, so that he can troubleshoot
As for how to solve it, it is something. Problem not found, any solution is futile
Reference:
meaning that the problem is in the cache? Do you not have this problem if you are not even getting the database every time?
------Solution--------------------
Is there a certain probability that the link to the database has been reused?
There is no possibility of existence
In particular, session[' DB ' was emptied for some uncertain reason?
If session[' DB ' is emptied, then it is equivalent to executing mysql_select_db (") which is going to go wrong (No database selected)
I said cache is the project's cache function
Typically used to cache query results and not read databases when accessed frequently
If you use a level two domain name, you should bind the level two domain name to the database name
------Solution--------------------
Top Posts Collection ~ ~ ~
------Solution--------------------
Mark, the newlyweds are passing by to study.
If I do this, the customer will be a separate table, and then each table and index with a customer ID field, get a simple total backstage add customers, so easy to manage ~
When the model layer of the foreground passes in the Where XXX filter variable, unified add on customer id=xxx~ but not sure of the drawbacks of this approach
------Solution--------------------
Reference:
Quote: Reference:
Tips: Data saved with ENV can only be read in the Web and not read in PHP CLI mode, please use it according to your specific requirements.
I did not use 50 VIRTUAL HOST, just one, just use the domain name of the pan-parse. Point all two-level domains to a virtual host.
It is hard to blame, but the information provided is not too much. More difficult to analyze, the boss has been analyzed more comprehensive.
------Solution--------------------
Are you using a domain name, $_server[' HOST ', to use the library to connect?
Can you provide that part of the code reference?
------Solution--------------------
What I do now is that each company uses a separate domain name, which is used to read different configuration files according to different domain names.
A company with http://a.xx.com
B Company with Http://b.xx.com
There is no cross-domain, there are not a number of problems in the current enterprise, has been more stable, you can borrow draw to see.
