CN117592086A - Data reading and writing method, system and storage medium of database - Google Patents

Data reading and writing method, system and storage medium of database Download PDF

Info

Publication number
CN117592086A
CN117592086A CN202311775580.7A CN202311775580A CN117592086A CN 117592086 A CN117592086 A CN 117592086A CN 202311775580 A CN202311775580 A CN 202311775580A CN 117592086 A CN117592086 A CN 117592086A
Authority
CN
China
Prior art keywords
database
read
data
configuration information
write
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311775580.7A
Other languages
Chinese (zh)
Inventor
刘晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Lianying Zhiyuan Medical Technology Co ltd
Original Assignee
Wuhan Lianying Zhiyuan Medical Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Lianying Zhiyuan Medical Technology Co ltd filed Critical Wuhan Lianying Zhiyuan Medical Technology Co ltd
Priority to CN202311775580.7A priority Critical patent/CN117592086A/en
Publication of CN117592086A publication Critical patent/CN117592086A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application is suitable for the technical field of databases, and provides a data reading and writing method, a system and a storage medium of a database, wherein the method comprises the following steps: intercepting a database read-write request sent by an application program client; the database read-write request comprises a read-write statement for performing read-write operation on the database; according to the first configuration information cached by the application program server, encrypting the data of the target field in the read-write statement to obtain an encrypted read-write statement; the data in the encryption read-write statement is first encrypted data; the first configuration information is updated by the application program server based on the configuration information configured in the external configuration center server; sending the encrypted read-write statement to a database; the database is used for performing read-write operation on the first encrypted data. By adopting the method, the sensitive data can be stored in the database under different service scenes without modifying the service logic codes of the application program server.

Description

Data reading and writing method, system and storage medium of database
Technical Field
The application belongs to the technical field of databases, and particularly relates to a data reading and writing method, a system and a storage medium of a database.
Background
As database servers evolve, businesses typically employ databases to store large amounts of highly sensitive data. For example, for businesses in the medical field, databases are typically used to store a variety of data such as patient name, identification number, and contact. Further, in the case of storage, it is necessary to encrypt data.
At present, when encrypting and decrypting data of a database, a developer generally adds data encrypting and decrypting logic into a service code of the database according to service requirements. When the service scene or the sensitive data demand changes, the data encryption and decryption logic in the original service code is also required to be modified.
However, when the service code of the database is added with data encryption and decryption logic, the service code is seriously coupled with the encryption and decryption logic. Therefore, when changing the service scene or the sensitive data needing encryption, a large amount of logic codes need to be modified, and the flexibility is low. And, the application server version corresponding to the online database needs to be re-online, and a long effective time is needed.
Disclosure of Invention
The embodiment of the application provides a data read-write method, a system and a storage medium of a database, which can solve the problem that a large amount of logic codes need to be modified when a business scene is changed or sensitive data needing to be encrypted is changed.
In a first aspect, an embodiment of the present application provides a method for reading and writing data in a database, where the method is applied to an application server, and the method includes:
intercepting a database read-write request sent by an application program client; the database read-write request comprises a read-write statement for performing read-write operation on the database;
according to the first configuration information cached by the application program server, encrypting the data of the target field in the read-write statement to obtain an encrypted read-write statement; the data in the encryption read-write statement is first encrypted data; the first configuration information is updated by the application program server based on the configuration information configured in the external configuration center server;
sending the encrypted read-write statement to a database; the database is used for performing read-write operation on the first encrypted data.
In a second aspect, an embodiment of the present application provides a data read-write device of a database, which is applied to an interception module in an application server, where the device includes an interception sub-module, a statement processing module and a sending module; the interception sub-module comprises a first interception sub-module, the statement processing module comprises an encryption sub-module, and the sending module comprises a first sending sub-module:
The first interception sub-module is used for intercepting a database read-write request sent by the application program client; the database read-write request comprises a read-write statement for performing read-write operation on the database;
the encryption sub-module is used for carrying out encryption processing on the data of the target field in the read-write statement according to the first configuration information cached by the application program server side to obtain an encrypted read-write statement; the data in the encryption read-write statement is first encrypted data; the first configuration information is updated by the application program server based on the configuration information configured in the external configuration center server;
the first sending submodule is used for sending the encryption read-write statement to the database; the database is used for performing read-write operation on the first encrypted data.
In a third aspect, an embodiment of the present application provides a data read-write system, including a database and an application server; the application program server is connected with an external configuration center server, and updates the cached first configuration information based on the configuration information configured in the configuration center server; the application program server comprises an interception module and a database client; the interception module is respectively connected with the database and the database client;
the database client is used for sending a database read-write request sent by the application client to the interception module; the database read-write request comprises a read-write statement for performing read-write operation on the database;
The interception module is used for intercepting a database read-write request, encrypting data of a target field in a read-write statement to obtain an encrypted read-write statement, and sending the encrypted read-write statement to the database; the data in the encryption read-write statement is first encrypted data;
the database is used for receiving the encryption read-write statement and performing read-write operation on the first encryption data.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, implements a method as in the first aspect described above.
In a fifth aspect, embodiments of the present application provide a computer program product which, when run on an application client, causes the application client to perform the method of the first aspect described above.
Compared with the prior art, the embodiment of the application has the beneficial effects that: the application program server side can intercept a database read-write request needing to access the database, and can encrypt data of a target field in read-write sentences contained in the data read-write request according to first configuration information cached by the application program server side to obtain a first encrypted read-write sentence containing first encrypted data. At this time, the encryption and decryption logic for the data is executed by the application server and is not set in the database, so that the service code and the encryption and decryption logic can be decoupled. And the first configuration information is stored in the application program server and updated based on the configuration information configured in the external configuration center server. Therefore, when the encryption and decryption logic is required to be changed according to different service scenes and sensitive data requirements, only the external configuration center server is required to be changed. The application program server can update the configuration information directly based on the configuration center server and is called by the application program server to execute the data encryption and decryption processing. Based on the method, the system and the device, the sensitive data can be stored in the database without modifying the business logic codes of the database server and the application program server under different business scenes. The flexibility is high, and the version of the application program server does not need to be updated.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a data read-write system according to an embodiment of the present application;
FIG. 2 is a flowchart of an implementation of a method for reading and writing data from and to a database according to an embodiment of the present application;
FIG. 3 is a flowchart of an implementation of a method for reading and writing data from and to a database according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a data read-write device of a database according to an embodiment of the present application;
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
As database servers evolve, businesses typically employ databases to store large amounts of highly sensitive data. For example, for businesses in the medical field, databases are typically used to store a variety of data such as patient name, identification number, and contact. And, at the time of storage, the data is subjected to encryption processing.
At present, when encrypting and decrypting data of a database, a developer generally adds data encrypting and decrypting logic into a service code of the database according to service requirements. When the service scene or the sensitive data demand changes, the data encryption and decryption logic in the original service code is also required to be modified.
However, when the service code of the database is added with data encryption and decryption logic, the service code is seriously coupled with the encryption and decryption logic. Therefore, when changing the service scene or needing to encrypt sensitive data, a great amount of logic codes need to be modified, the flexibility is low, the service codes are easy to invade, and the security risk to the service is caused. And, the application server version corresponding to the online database needs to be re-online, and a long effective time is needed.
Based on the above, in order to realize that the sensitive data can be stored in the database without modifying the service logic code of the application program server under different service scenes, the embodiment provides a data reading and writing method of the database. The method is applied to an application program server in a data read-write system.
Specifically, referring to fig. 1, fig. 1 is a schematic structural diagram of a data read-write system according to an embodiment of the present application. The data read-write system comprises a database 1 and an application server 2. The application server 1 performs data interaction with an external configuration center server 3 through a network. The application server 2 includes an interception module 21 and a database client 22; the interception module 21 performs data interaction with the database 1 and the database client 22 through a network, respectively. And, the application server 2 also performs data interaction with the application client 4 through a network.
As an example, the application server 2 may update the cached first configuration information based on the configuration information configured in the configuration center server 3. The application client 4 may send a database read-write request to the database client 22, and then the database client 22 sends the database read-write request to the interception module 21; the database read-write request includes a read-write statement for performing a read-write operation on the database 1.
The interception module 21 is configured to intercept a database read-write request, encrypt data of a target field in a read-write statement, obtain an encrypted read-write statement, and send the encrypted read-write statement to the database 1; the data in the encrypted read-write statement is first encrypted data.
The database 1 is used for receiving the encrypted read-write statement and performing read-write operation on the first encrypted data.
In an embodiment, referring to fig. 1, the application client 4 is typically a web page or APP program that a user logs in on a terminal device. In general, a user may initiate a request to the application service segment 2 through the application client 4, and then the application service segment 2 may send a database read-write request to the database 1 through the database client 22 to query or input data to the database 1 when determining that the request is a database read-write request that needs to read and write data to the database.
However, since the interception module 21 is disposed between the database 1 and the database client 22, the interception module may intercept the database read-write request.
Referring to fig. 2, fig. 2 shows a flowchart of an implementation of a method for reading and writing data of a database according to an embodiment of the present application. As shown in fig. 2, the method uses an application server in a data read-write system as an execution subject. Specifically, fig. 2 includes the following steps:
s201, intercepting a database read-write request sent by an application program client; the database read-write request comprises a read-write statement for performing read-write operation on the database.
Wherein the database read-write request includes, but is not limited to, a request to add, delete, modify, or query. Thus, the read-write statements include, but are not limited to, SQL statements such as add, delete, modify, or query.
For example, the above-mentioned read-write statement may be: select from table A where name = 'Zhang Sanj'. In the read-write statement, data of three pages is searched from the field of the A table of the database. Wherein, a can be considered as an entity class in the database read-write request, name is a field in the entity class, and Zhang three is response data required to be requested.
As an example, an encryptedStoreinterntor class may be created in the application server to implement the interntor interface provided by Mybatis. And, adopt and overwrite the interface method, when the client side of the application program sends the database and reads and writes the request to the database, is intercepted by the server side of the application program.
S202, according to first configuration information cached by an application program server, encrypting data of a target field in a read-write statement to obtain an encrypted read-write statement; the encryption read-write statement comprises first encryption data; the first configuration information is updated by the application program server based on the configuration information configured in the external configuration center server.
In one embodiment, the application server is an information service system, and is mainly built on a server, and is configured to receive and process a request (e.g., a database read-write request) sent from a client (application client).
In an embodiment, the first configuration information includes a first encryption and decryption field and a key that need to be encrypted and decrypted. The first encryption and decryption field can be set according to the service scene. Illustratively, for a medical field scenario, the first encryption and decryption field includes, but is not limited to, the patient's name, identification card number, and contact address.
It should be noted that, the first configuration information may be cached in an external cache of the application server in advance. Specifically, a client component package of a configuration center may be embedded in advance in the application server. At this time, the application server is a client of the configuration center server with respect to the configuration center server. When the application program server starts to run, the application program server can actively connect with the configuration center server through the self-stored configuration center server address so as to acquire configuration information (encryption and decryption fields and keys) configured in the configuration center server. And then, storing the configuration information into a local cache as first configuration information.
It will be appreciated that after the application server is started, a long link may be maintained with the configuration center server. Furthermore, when the configuration information in the configuration center server is changed, the configuration of the application server is updated synchronously. In this embodiment, by configuring different keys and first encryption and decryption fields in the configuration center server, code multiplexing and flexible switching under different service scenarios can be realized, and coupling between the encryption and decryption logic codes and the service codes can be reduced.
In an embodiment, the data in the target field is data that needs to be encrypted in a read-write statement. As an example, the application server may match each field in the read-write statement with the first encryption and decryption field in the first configuration information to determine the target field that needs to be encrypted. That is, when all the first encryption and decryption fields set in the first encryption configuration information include the target field, the application server may directly encrypt the data in the target field by adopting a preset encryption manner, so as to obtain an encryption read-write statement.
The preset encryption mode can be a mode of processing data by adopting a preset encryption and decryption algorithm. The encryption and decryption algorithm may be, for example, an advanced encryption standard algorithm 256 (Advanced Encryption Standard, aes 256), a cryptographic hash function family (Secure Hash Algorithm, SHA), a data encryption standard (Data Encryption Standard, DES), or a reversible encryption algorithm, which is not limited thereto.
Based on the above description, the application server may use the reversible encryption algorithm such as AES256, SHA, DES, etc. to convert the plaintext data in the target field into ciphertext data (first encrypted data). In this example, the data may be encrypted using a cipher block chaining (Cipher Block Chaining, CBC) in the AES encryption algorithm. The CBC encryption mode can enable each plaintext data to be subjected to exclusive OR operation with the previous ciphertext data, and then encryption is carried out. Under the CBC encryption mode, each plaintext data needs the input of the previous ciphertext data, so that the data security can be enhanced.
It should be noted that, the application server may add the persistent layer of Jdbc handwriting sql and the section of the persistent layer framework through the section-oriented programming (Aspect Orient Programming Spring AOP) technology, intercept the data to be processed from the persistent layer, and then replace the original plaintext data with the encrypted data. Among them, persistent layer frameworks include, but are not limited to, JPA, mybatis, mybatis-plus, and the like frameworks.
It will be appreciated that for non-target fields in a read-write statement, the encrypted read-write statement should also include unencrypted plaintext data, as it does not require encryption.
In a practical scenario, data required for a data read/write request is typically stored in different database tables in a database. Each database table corresponds to a class (entity class) in the service. Typically, a row of data in a database table is an object and a column of data is an attribute (field) of the object.
For example, if the database table is a table storing patient information, the database table may be considered as an entity class corresponding to patient information in the business. The name, ID card number and contact way corresponding to each column in the database table are all fields in the entity class. Each row of data in the database table is patient information corresponding to one patient.
Also, a variety of database tables (i.e., having a plurality of entity classes) are typically stored in a database, each entity class including a plurality of fields, respectively. Based on this, in a practical scenario, the first encryption configuration information may have a larger number of first encryption and decryption fields, and be located in different entity classes. And, the plurality of fields included in one entity class may have only a part of the fields as the first encryption and decryption fields.
Based on the above description, it is known that when the read-write sentence includes a plurality of fields, if the plurality of fields are matched with the first encryption and decryption field in the first configuration information one by one, the workload of the CPU may be increased, and the time for querying the target field may be increased.
Based on the above, in order to quickly determine the target field in the read-write statement, the application program server may first parse the read-write statement to determine the target entity class including the preset first tag annotation in the read-write statement. And then, determining a field containing a preset second mark annotation in the target entity class as a target field.
Wherein, the first mark annotation and the second mark annotation can be preset by a developer. The first tag annotation may be @ sensordata, or other forms having the same definition, for example. The second tag annotation may be @ EncryptField, or other forms having the same definition. In this embodiment, the annotation form of the first marker annotation and the second marker annotation is not limited.
Specifically, when determining that the read-write statement contains the target entity class of the preset first mark annotation, the application program server side determines that a target field which needs to be encrypted and decrypted possibly exists in a plurality of fields correspondingly included in the target entity class. Then, when the target entity class may include a plurality of fields, the field with the second tag annotation carried therein is again determined as the target field.
It can be appreciated that adding the first tag annotation to the entity class can prevent scanning of all entity classes, reducing the workload of the CPU and the time required to query the target field. Similarly, adding a second tag annotation to the field can also prevent scanning all fields contained in the entity class, further reducing the CPU workload and the time required to query the target field.
Illustratively, in the read-write statement: select from table A where name = 'Zhang Sanj'. In the read-write statement, the application program server side can judge whether the entity class A in the read-write statement is the entity class added with the first mark annotation @ sensorineData according to a preset code. And then, when the entity class A is judged to be the target entity class added with the first mark annotation, judging whether the field name in the read-write statement is a field added with the second mark annotation. And then, when the field name is judged to be a target field added with a second mark annotation @ encryptefield, carrying out encryption processing on data corresponding to the target field name to obtain first encrypted data BCD. At this time, the encryption read-write statement will be select from table A where name = 'BCD'.
In particular, when the target entity class is not included in the read/write statement and/or the target field is not included in the target entity class, the data to be read/written by the read/write statement may be considered to be not encrypted in the database. I.e. the data to be read from or written to is not sensitive data. Therefore, the data of each field included in the read-write statement does not need to be encrypted. At this time, the application server may directly send the database read-write request to the database.
It should be added that for different traffic scenarios, there may be fields that do not need to be encrypted or decrypted. At this time, the first configuration information may not set any first encryption and decryption field. However, in order to ensure the privacy of the data as much as possible, in this embodiment, when the first encryption and decryption field is not set in the first configuration information, the application server may also encrypt the data in the target field by using a preset encryption manner, so as to obtain an encrypted read-write statement.
S203, sending the encryption read-write statement to a database; the database is used for performing read-write operation on the first encrypted data.
In an embodiment, after sending the encrypted read-write statement to the database, the database may correspondingly write each first encrypted data and unencrypted plaintext data in the encrypted read-write statement into a database table corresponding to the database when the encrypted read-write statement is an addition, deletion or modification statement, or delete or modify data in a corresponding position in the database table, which is not limited. And when the encrypted read-write statement is a query statement, querying data in a corresponding position in the database table and returning the data to the application program client.
In this embodiment, the application server may intercept a database read-write request that needs to access the database, and may encrypt, according to first configuration information cached by the application server, data in a target field in a read-write statement included in the data read-write request, to obtain a first encrypted read-write statement including first encrypted data. At this time, the encryption and decryption logic for the data is executed by the application server and is not set in the database, so that the service code and the encryption and decryption logic can be decoupled. And the first configuration information is stored in the application program server and updated based on the configuration information configured in the external configuration center server. Therefore, when the encryption and decryption logic is required to be changed according to different service scenes and sensitive data requirements, only the external configuration center server is required to be changed. The application program server can update the configuration information directly based on the configuration center server and is called by the application program server to execute the data encryption and decryption processing. Based on the method, the system and the device, the sensitive data can be stored in the database without modifying the business logic codes of the database server and the application program server under different business scenes. The flexibility is high, and the version of the application program server does not need to be updated.
In another embodiment, on the basis that the database can encrypt and store the data, in order to realize that the historical data in the service scene can be queried or updated without modifying the code after the encryption and decryption requirements are changed in the same service scene, the application server can also realize the effects through the following steps S301-S309. The details are as follows:
s301, obtaining a third encryption and decryption field contained in the third configuration information of the latest version from an external cache of the database.
In an embodiment, the external cache may be a redis cache, which may cache a mapping relationship between the version number and the third encryption and decryption field. For example, the version number is stored as a key and the third encryption/decryption field is stored as a value.
S302, if the third encryption and decryption field contained in the third configuration information of the latest version is inconsistent with the first encryption and decryption field of the first configuration information, the first configuration information is determined to be the configuration information of the latest version, and the latest version number of the configuration information of the latest version is re-identified.
And S303, updating the latest version of configuration information and the corresponding latest version number into a configuration information storage table of the database and an external cache.
Only the first configuration information is cached in the application program server side, and the first configuration information is updated in real time according to the configuration information configured by the configuration center server. Therefore, the first configuration information can be considered as the latest requirement for encryption and decryption fields in the service scenario.
Based on the above, when the third encryption and decryption field included in the third configuration information is inconsistent with the first encryption and decryption field of the first configuration information in the application server, the external cache of the database may be considered to update the latest version of the first configuration information asynchronously. Therefore, the application server may determine the first configuration information as the latest version of the configuration information and re-identify the latest version number of the latest version of the configuration information. And updating the latest version of the configuration information and the corresponding latest version number into the configuration information storage table and the external cache.
Based on the above step S303, the application server updates the configuration information storage table and the external cache at the same time. Therefore, the application server can determine whether the configuration information table in the database is updated based on the third configuration information of the latest version in the external cache. Similarly, if the third encryption and decryption field included in the third configuration information of the latest version is consistent with the first encryption and decryption field included in the first configuration information cached by the application server, the configuration information storage table may not need to be updated.
Wherein, the configuration information storage table records a plurality of versions of second configuration information; each second configuration information corresponds to a second encryption and decryption field which needs to be encrypted and decrypted. It should be noted that, the second configuration information of each version may be considered to correspond to the requirement of encryption and decryption fields in a service scenario.
The storage manner of the configuration information storage table may be as follows in table 1:
table 1:
Encrypt-fields Version
field a1 V1
Field a2 V2
Field a. V...
The above table 1 is explained by taking 1 entity class 1 stored in the configuration information storage table as an example. In an actual scenario, the configuration information storage table generally stores storage tables corresponding to a plurality of entity classes. For the entity class 1, the encryption and decryption requirements corresponding to the entity class 1 may be changed, so that the category of the field to be encrypted and decrypted corresponding to each version is also changed generally.
For example, when the entity class 1 is a class storing patient information, the first encryption and decryption field a1 corresponding to the V1 version may include fields such as name, six, id_card, and the like. When the encryption and decryption requirements change, the first encryption and decryption field a2 of the V2 version can be fields such as name, set, id_card, phone_number, etc., which are not limited.
Based on the above, when the third encryption and decryption field included in the third configuration information of the latest version stored in the external cache is inconsistent with the first encryption and decryption field included in the first configuration information cached in the application server, the first configuration information can be determined to be the configuration information of the latest version, and updated to the configuration information storage table. And meanwhile, the version number corresponding to the second configuration information of the latest version updated at this time is +1 on the basis of the version number of the latest version before being updated. That is, updated table 1 will have version vn+1.
It should be noted that, the encrypted read-write statement sent to the database at this time is encrypted by the first configuration information, however, the first configuration information may not be consistent with the second configuration information in the configuration information storage table (i.e., the data of the target field is updated based on the first configuration information cached by the application server, but the configuration information table in the database is not yet updated). Therefore, the application server may need to execute the steps S301 to S303 before sending the encrypted read/write statement to the database.
It should be noted that, in another embodiment, the application server may also directly obtain the second configuration information of the latest version from the configuration information storage table in the database. And comparing the second configuration information of the latest version with the first configuration information cached by the application server. If the second configuration information of the latest version is consistent with the configuration information of the configuration center, the configuration information storage table in the database can be considered to be synchronously updated based on the first configuration information cached by the application server. If the latest version of the second configuration information is consistent with the configuration information of the configuration center, the first configuration information needs to be determined as the latest version of the second configuration information, and the latest version number of the latest version of the second configuration information is re-identified. And then, updating the second configuration information of the latest version and the corresponding latest version number into a configuration information storage table of the database.
However, the above method can update the configuration information storage table without providing an external buffer. However, before the application server sends the database read-write request each time, the application server needs to acquire the second configuration information of the latest version from the database to determine whether the second configuration information of the database is of the latest version. That is, this method increases the number of times of reading and writing of the database, and cannot guarantee the security of the database.
Based on this, by adopting the steps S301 to S303, before the application server side sends the database read-write request each time, it is unnecessary to acquire the configuration information storage table from the database, and only the third encryption and decryption field included in the third configuration information of the latest version is acquired from the external cache of the database to determine whether update is required.
S304, if the encryption read-write statement is a data write statement, binding the first encryption data with the latest version number in a configuration information storage table of the database; the configuration information storage table records a plurality of versions of second configuration information.
S305, synchronously writing the latest version number when the first encrypted data is written into the database.
In one embodiment, the data writing statement includes the statements described above such as add, delete, and modify. The latest version number is a version number corresponding to the latest version of the first configuration information. For example, vn+1 as described above. When data is written into the database, the application program server can bind the first encrypted data with the latest version number and synchronously write the first encrypted data into the database.
By way of example, the manner in which the database stores data may be as shown in Table 2 below:
table 2:
field 1 Field 2 Field. Field x Version of
Data 11 Data 12 Data. Data 1x V1
Data 21 Data 22 Data. Data 2x V2
Data y1 Data y2 Data. Data yx Vn+1
The above table 2 is explained by taking a database table corresponding to 1 entity class 1 stored in the database as an example. In an actual scenario, the database typically stores database tables corresponding to a plurality of entity classes, respectively.
For example, when field 1 is the name, sex, and field 2 is the identification number of the patient, the entity class 1 may be considered to have information of y patients. In the V1 version, if the field 1 and the field 2 are fields that do not need to be encrypted and decrypted and the field 3 is a field that needs to be encrypted and decrypted, the data 11 and 12 in the database table will be plaintext data, and the field 3 is the first encrypted data. And under the V2 version, if the field 1, the field 2 and the field 3 are all fields needing encryption in the requirement of the service scene, the data 21, 22 and 23 in the database table are all first encrypted data. And after each execution of the data writing statement, synchronously writing the latest version number in the configuration information storage table of the database at a position corresponding to the version field in the database table.
In another embodiment, the application server may further encrypt the data in the target field by using a preset encryption manner to obtain an encrypted read-write statement. Then, when the encryption read-write statement is a data write statement, only the first encryption data is written into the database. At this time, the database may store only the first encrypted data. After that, when the first encrypted data is read, the application server may decrypt the first encrypted data according to a preset decryption manner. Therefore, on the basis of realizing encryption storage of data, configuration information of different versions is not required to be maintained.
S306, if the encryption read-write statement is a data read statement, response data returned by the database in response to the first encryption data is intercepted.
S307, if the response data is encrypted second encrypted data, determining a target version number bound with the second encrypted data; the database is used for synchronously transmitting the target version number bound with the second encrypted data when the second encrypted data is transmitted.
In one embodiment, when the encrypted read/write statement is a database read statement, the database will respond to the database read statement and return corresponding response data. For example, data corresponding to each field stored in the database table is determined as response data that needs to be requested. Wherein the response data may comprise second encrypted data that has been encrypted.
When the response data does not include the encrypted first encrypted data, the response data may be regarded as not being sensitive data. Thus, the response data can be sent directly to the application client.
It will be appreciated that the database may also determine, when sending the response data, a target version number corresponding to the response data according to table 2. And then, the version number and the second encrypted data are simultaneously sent to the application program server. At this time, when the application server obtains the response data and determines that the response data is the second encrypted data, the application server may directly determine the target version number.
S308, determining target third configuration information corresponding to the target version number from an external cache of the database; the external cache stores a plurality of versions of third configuration information, and the plurality of versions of third configuration information are updated synchronously with the configuration information storage table in the database.
S309, decrypting the second encrypted data based on the target third encryption configuration information to obtain decrypted data.
S310, sending the decrypted data to the application program client.
The target version number corresponding to the second encrypted data is only the latest version number of the second configuration information in the configuration information storage table when the second encrypted data is stored. For example, the latest version number may be Vn. However, after a period of time, the second configuration information in the configuration information storage table is updated, and the latest version number at this time may be vn+1. Therefore, the second encrypted data of the historical version cannot be decrypted by directly using the first configuration information cached at the time of the application server. Therefore, it is necessary to acquire the configuration information of the Vn version for decryption.
Based on this, the application server may determine the target third configuration information from the external cache of the database based on the target version number. The reason why the target third configuration information is not determined from the configuration information storage table in the database is to reduce the read-write times of the database and ensure the safety of the database.
The application server may also implement interception and decryption of response data by using the above-described tangent plane-oriented programming technique, which will not be described.
In view of the above description, it will be understood that, in the same service scenario, if a field needs to be changed for encryption and decryption, for response data (first encrypted data) stored in history, the same encryption process needs to be performed on data corresponding to all changed fields stored in the database according to the changed fields.
However, in this embodiment, after the field to be encrypted and decrypted needs to be changed, the latest version number when the first encrypted data is encrypted may be synchronously bound when the first encrypted data is stored, and stored in the database. Then, when the subsequent first encrypted data is read as the response data, the corresponding target third configuration information may be determined from the external cache based on the target version number of the response data, and the response data (first encrypted data) may be subjected to decryption processing. Furthermore, the above-described effects can be achieved without modifying the code when the history data in the database is queried.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a data read-write device of a database according to an embodiment of the present application. The data read/write device of the database in this embodiment includes modules for executing the steps in the embodiments corresponding to fig. 2 and 3. Refer specifically to fig. 2 and 3 and the related descriptions in the embodiments corresponding to fig. 2 and 3. For convenience of explanation, only the portions related to the present embodiment are shown. Referring to fig. 4, the data read/write apparatus 400 of the database may be applied to an interception module in an application server. The device includes an interception sub-module 410, a statement processing module 420 and a sending module 430, where the interception sub-module includes a first interception sub-module 410, the statement processing module 420 includes an encryption sub-module and the sending module 430 includes a first sending sub-module, and specifically:
the first interception sub-module is used for intercepting a database read-write request sent by the application program client; the database read-write request comprises a read-write statement for performing read-write operation on the database.
The encryption sub-module is used for carrying out encryption processing on the data of the target field in the read-write statement according to the first configuration information cached by the application program server side to obtain an encrypted read-write statement; the encryption read-write statement comprises first encryption data; the first configuration information is updated by the application program server based on the configuration information configured in the external configuration center server.
The first sending submodule is used for sending the encryption read-write statement to the database; the database is used for performing read-write operation on the first encrypted data.
In an embodiment, the data read-write device of the database further includes an parsing module and a determining module, where the determining module includes a first determining submodule:
the analysis module is used for analyzing the read-write statement and determining a target entity class containing a preset first mark annotation in the read-write statement.
The first determining submodule is used for determining a field containing a preset second mark annotation in the target entity class as a target field.
In one embodiment, the transmitting module 430 further includes a second transmitting sub-module:
and the second sending submodule is used for sending the database read-write request to the database if the read-write statement does not contain the target entity class and/or the target entity class does not contain the target field.
In one embodiment, the sentence processing module 420 is further configured to:
if the first encryption and decryption fields are not set in the first configuration information, or all the first encryption and decryption fields included in the first configuration information include the target field, encrypting the data of the target field by adopting a preset encryption mode to obtain an encryption read-write statement.
In an embodiment, the data read-write device of the database further includes a write processing module, where the write processing module includes a write sub-module:
and the writing sub-module is used for writing the first encrypted data into the database if the encrypted read-write statement is a data writing statement.
In an embodiment, the write processing module further comprises a binding submodule:
the binding module is used for binding the first encrypted data with the latest version number in the configuration information storage table of the database if the encrypted read-write statement is a data write statement; the configuration information storage table records a plurality of versions of second configuration information.
And the writing sub-module is used for synchronously writing the latest version number when the first encrypted data is written into the database.
In an embodiment, the data read-write device of the database further includes a decryption module, the interception sub-module 410 further includes a second interception sub-module, the determination module further includes a second determination sub-module, and the transmission module 430 further includes a third transmission sub-module:
and the second interception sub-module is used for intercepting response data returned by the database in response to the first encrypted data if the encrypted read-write statement is a data read statement.
The second determining submodule is used for determining a target version number bound with the second encrypted data if the response data is the encrypted second encrypted data; the database is used for synchronously transmitting a target version number bound with the second encrypted data when the second encrypted data is transmitted; the method comprises the steps of determining target third configuration information corresponding to a target version number from an external cache of a database; the external cache stores a plurality of versions of third configuration information, and the plurality of versions of third configuration information are updated synchronously with the configuration information storage table in the database.
And the decryption module is used for decrypting the second encrypted data based on the target third configuration information to obtain decrypted data.
And the third sending sub-module is used for sending the decrypted data to the application program client.
In an embodiment, the data read-write device of the database further includes:
the acquisition module is used for acquiring a third encryption and decryption field contained in the third configuration information of the latest version from an external cache of the database.
The identification module is used for determining the first configuration information as the latest version of configuration information and re-identifying the latest version number of the latest version of configuration information if the third encryption and decryption field contained in the latest version of third configuration information is inconsistent with the first encryption and decryption field of the first configuration information;
and the updating module is used for updating the latest version of the configuration information and the corresponding latest version number into the configuration information storage table of the database and the external cache.
It is to be understood that, in the schematic structural diagram of the data read/write device of the database shown in fig. 4, each module is configured to execute each step in the embodiments corresponding to fig. 2 and 3, and each step in the embodiments corresponding to fig. 2 and 3 is explained in detail in the foregoing embodiments, and specific reference is made to fig. 2 and 3 and related descriptions in the embodiments corresponding to fig. 2 and 3, which are not repeated herein.
In another embodiment, based on the explanation of fig. 1, in the embodiment of the present application, each device included in the data read-write system is further configured to perform each step in the embodiments corresponding to fig. 2 and 3. Refer specifically to fig. 2 and 3 and the related descriptions in the embodiments corresponding to fig. 2 and 3. For convenience of explanation, only the portions related to the present embodiment are shown. The details are as follows:
in an embodiment, the interception module is further configured to:
analyzing the read-write statement, and determining a target entity class containing a preset first mark annotation in the read-write statement; and determining a field containing a preset second mark annotation in the target entity class as a target field.
In an embodiment, the interception module is further configured to:
and if the read-write statement does not contain the target entity class and/or the target entity class does not contain the target field, sending a database read-write request to the database.
In an embodiment, the interception module is further configured to:
if the first encryption and decryption fields are not set in the first configuration information, or all the first encryption and decryption fields included in the first configuration information include the target field, encrypting the data of the target field by adopting a preset encryption mode to obtain an encryption read-write statement.
In an embodiment, the interception module is further configured to:
and if the encryption read-write statement is a data write statement, writing the first encryption data into the database.
In an embodiment, the interception module is further configured to:
if the encryption read-write statement is a data write statement, binding the first encryption data with the latest version number in the configuration information storage table of the database; the configuration information storage table records a plurality of versions of second configuration information;
when the first encrypted data is written into the database, the database synchronously writes the latest version number.
In an embodiment, the interception module is further configured to:
if the encryption read-write statement is a data read statement, intercepting response data returned by the database in response to the first encryption data; if the response data is encrypted second encrypted data, determining a target version number bound with the second encrypted data; the database is used for synchronously transmitting a target version number bound with the second encrypted data when the second encrypted data is transmitted; determining target third configuration information corresponding to the target version number from an external cache of the database; the external cache stores a plurality of versions of third configuration information, and the plurality of versions of third configuration information are synchronously updated with the configuration information storage table in the database; decrypting the second encrypted data based on the target third configuration information to obtain decrypted data; and sending the decrypted data to the application client.
In an embodiment, the interception module is further configured to:
acquiring a third encryption and decryption field contained in third configuration information of the latest version from an external cache of the database; if the third encryption and decryption field contained in the third configuration information of the latest version is inconsistent with the first encryption and decryption field of the first configuration information, determining the first configuration information as the configuration information of the latest version, and re-identifying the latest version number of the configuration information of the latest version; and updating the latest version of configuration information and the corresponding latest version number into a configuration information storage table of the database and an external cache.
It should be added that the interception module may be a section of software code module in the application server for implementing the database read-write method in each embodiment.
The embodiments of the present application provide a computer readable storage medium storing a computer program, where the computer program is executed by a processor to perform the data reading and writing method of the database in each of the embodiments described above.
Embodiments of the present application provide a computer program product, which when executed on an application client, causes the application client to perform the method for reading and writing data of the database in the foregoing embodiments.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.

Claims (10)

1. A method for reading and writing data of a database, which is applied to an application server, the method comprising:
intercepting a database read-write request sent by an application program client; the database read-write request comprises a read-write statement for performing read-write operation on the database;
according to the first configuration information cached by the application program server, encrypting the data of the target field in the read-write statement to obtain an encrypted read-write statement; the encryption read-write statement comprises first encryption data; the first configuration information is updated by the application program server based on the configuration information configured in an external configuration center server;
Sending the encryption read-write statement to a database; the database is used for performing read-write operation on the first encrypted data.
2. The method of claim 1, further comprising, after intercepting the database read-write request sent by the application client:
analyzing the read-write statement, and determining a target entity class containing a preset first mark annotation in the read-write statement;
and determining a field containing a preset second mark annotation in the target entity class as the target field.
3. The method of claim 2, further comprising, after intercepting the database read-write request sent by the application client:
and if the read-write statement does not contain the target entity class and/or the target entity class does not contain the target field, sending the database read-write request to the database.
4. The method of claim 1, wherein the encrypting the data of the target field in the read-write statement according to the first configuration information cached by the application server to obtain an encrypted read-write statement comprises:
If a first encryption and decryption field is not set in the first configuration information, or all the first encryption and decryption fields included in the first configuration information include the target field, encrypting the data of the target field by adopting a preset encryption mode to obtain the encryption read-write statement.
5. The method of claim 1, further comprising, after said sending said encrypted read-write statement to a database:
and if the encryption read-write statement is a data write statement, writing the first encryption data into the database.
6. The method of claim 1, further comprising, after said sending said encrypted read-write statement to a database:
if the encryption read-write statement is a data write statement, binding the first encryption data with the latest version number in a configuration information storage table of the database; the configuration information storage table records a plurality of versions of second configuration information;
and synchronously writing the latest version number when the first encrypted data is written into the database.
7. The method of claim 6, further comprising, after said sending said encrypted read-write statement to a database:
If the encryption read-write statement is a data read statement, intercepting response data returned by the database in response to the first encryption data;
if the response data is encrypted second encrypted data, determining a target version number bound with the second encrypted data; the database is used for synchronously transmitting a target version number bound with the second encrypted data when the second encrypted data is transmitted;
determining target third configuration information corresponding to the target version number from an external cache of the database; the external cache stores a plurality of versions of third configuration information, and the plurality of versions of third configuration information is updated synchronously with the configuration information storage table in the database;
decrypting the second encrypted data based on the target third configuration information to obtain decrypted data;
and sending the decrypted data to the application program client.
8. The method of any of claims 1-7, further comprising, prior to said sending the encrypted read-write statement to a database:
acquiring a third encryption and decryption field contained in third configuration information of the latest version from an external cache of the database;
If the third encryption and decryption field contained in the third configuration information of the latest version is inconsistent with the first encryption and decryption field of the first configuration information, determining the first configuration information as the configuration information of the latest version, and re-identifying the latest version number of the configuration information of the latest version;
and updating the latest version of configuration information and the latest version number to a configuration information storage table of the database and the external cache.
9. The data read-write system is characterized by comprising a database and an application server; the application program server is connected with an external configuration center server, and the cached first configuration information is updated based on the configuration information configured in the configuration center server; the application program server comprises an interception module and a database client; the interception module is respectively connected with the database and the database client;
the database client is used for sending a database read-write request sent by the application program client to the interception module; the database read-write request comprises a read-write statement for performing read-write operation on the database;
The interception module is used for intercepting the database read-write request, encrypting the data of the target field in the read-write statement to obtain an encrypted read-write statement, and sending the encrypted read-write statement to the database; the encryption read-write statement comprises first encryption data;
the database is used for receiving the encryption read-write statement and performing read-write operation on the first encryption data.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 8.
CN202311775580.7A 2023-12-21 2023-12-21 Data reading and writing method, system and storage medium of database Pending CN117592086A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311775580.7A CN117592086A (en) 2023-12-21 2023-12-21 Data reading and writing method, system and storage medium of database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311775580.7A CN117592086A (en) 2023-12-21 2023-12-21 Data reading and writing method, system and storage medium of database

Publications (1)

Publication Number Publication Date
CN117592086A true CN117592086A (en) 2024-02-23

Family

ID=89918394

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311775580.7A Pending CN117592086A (en) 2023-12-21 2023-12-21 Data reading and writing method, system and storage medium of database

Country Status (1)

Country Link
CN (1) CN117592086A (en)

Similar Documents

Publication Publication Date Title
US12045361B1 (en) Methods and apparatus for encrypted indexing and searching encrypted data
US8375224B2 (en) Data masking with an encrypted seed
US7107459B2 (en) Secure CPU and memory management unit with cryptographic extensions
CN106971121B (en) Data processing method, device, server and storage medium
US8302169B1 (en) Privacy enhancements for server-side cookies
US8166313B2 (en) Method and apparatus for dump and log anonymization (DALA)
US8639948B2 (en) Encrypted data management in database management systems
US8874932B2 (en) Method for order invariant correlated encrypting of data and SQL queries for maintaining data privacy and securely resolving customer defects
US9152813B2 (en) Transparent real-time access to encrypted non-relational data
US20120290837A1 (en) Method and system for secured management of online XML document services through structure-preserving asymmetric encryption
US8769302B2 (en) Encrypting data and characterization data that describes valid contents of a column
CN111737720B (en) Data processing method and device and electronic equipment
CN113806777A (en) File access realization method and device, storage medium and electronic equipment
US11429735B2 (en) Method and apparatus for data encryption, method and apparatus for data decryption
WO2018184441A1 (en) Method and device for processing user information
CN108229190B (en) Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
CN108170753B (en) Key-Value database encryption and security query method in common cloud
CN114428784A (en) Data access method and device, computer equipment and storage medium
CN114416773A (en) Data processing method, device, storage medium and server
CN117592086A (en) Data reading and writing method, system and storage medium of database
CN113901490A (en) SQL reconstruction-based base table data encryption storage method
CN110008657B (en) Method, storage medium, electronic device and system for protecting webpage code
CN117763611A (en) Sensitive information desensitizing method, electronic equipment and storage medium
CN117874097A (en) Ciphertext data fuzzy query method and device
CN118332014A (en) User information management method, device, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination