Reputation: 1250
facebook user info storing in database
My website provide the user to create an account and log in with facebook. The user table contain: userId (generated by $userId = uniqid(rand(), true;, if user creating his own account). password, salt, email, date joined.
1st question:
I am not sure if what I am doing with facebook is safe. Right now I am getting user ID from facebook and sending it to server with xmlhttpRequest object. Then server store it under userID and leave other columns blank.
2nd question:
Is the possibilities significant for the facebook userID to overlap with normal account's userid generated by uniquid(rand(), true)
3rd question:
is it safe to use client side login? I mean even my App ID will be seen by users.
4th question: In order to tell if the entry is a facebook account or normal account, should I add another column in database, true=facebook account, false=normal account. Or should I just check to see if password column is blank for the certain account?
Upvotes: 0
Views: 202
Answers (1)
Reputation: 14302
Using thepointless.com as an example, every user gets an auto-incremented ID, including facebook users. External authentication services are recognized by the username, which contains a URL for "irregular" users:
+----------+------------------+------+-----+-------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+-------------------+----------------+
| user_id | int(10) unsigned | NO | PRI | NULL | auto_increment |
| username | varchar(255) | YES | UNI | NULL | |
| password | varchar(255) | YES | | NULL | |
| created | timestamp | NO | | CURRENT_TIMESTAMP | |
| userdata | mediumtext | YES | | NULL | |
| admin | tinyint(1) | YES | | 0 | |
| name | varchar(765) | YES | | NULL | |
+----------+------------------+------+-----+-------------------+----------------+
Facebook users' usernames are the URLs of their graph data, like http://graph.facebook.com/8643372. It isn't necessary in your system to point to something real, so long as it identifies the domain and an external [unique] ID. It just so happens in this case that the user's public graph object is a short, predictable URL.
Normal users are restricted from prefixing their usernames with http or https. The password is left blank. And the userdata stores the JSON or XML provided by the 3rd party authentication service.
A fully client-side login shouldn't generally be trusted by server-side logic. But, server-side validation of a JavaScript initiated login is generally not difficult. And there's no reason not to trust, at least on a preliminary basis, an entirely client-side authentication on the client.
And as far as I know, there's no need to keep your App ID a secret. It's your "App Secret" that needs to remain hidden.
Upvotes: 1
Related Questions
- Storing Friends in Database for Social Network
- How do you get a facebook user's information and insert it into a database?
- how to pull user information from facebook sdk into my site's database using php
- Saving User Data to Database From Facebook API
- How should I handle the user data after the user login through Facebook
- How to store facebook user's information(except password) in MySql DB, when a user logs into my website
- Storing Facebook login using PHP
- Facebook PHP SDK - Store user data into MYSql database
- How to fetch user info from Facebook?
- Facebook App : Problem with storing user info