At least some of the advantages of using views should be apparent. For instance, suppose you have a user who is interested in seeing which product categories have the most products and by which departments these products are sold. Without bogging down the discussion with an additional schema at this point, letís just suppose that you can create a view fulfilling these requirements as follows:
CREATE VIEW product_view (catid, catname, catcount, deptname) AS
Once this is done, your user can obtain the current listing by running a simple SELECT query on the view, like so:
SELECT * FROM product_view;
The view acts in all respects like any other table, except that your user does not need to worry about doing a join on three tables in order to obtain the data that he or she actually wants to see. Your user can order or filter the rows of this view:
SELECT * FROM product_view ORDER BY deptname, catname;
Or even use it in a join on another table:
SELECT DISTINCT(p.deptname), CONCAT(m.firstname, ' ', m.lastname) AS manager FROM product_view p
Of course, this join could very likely be done more efficiently by writing a new query against the original tables involved rather than using the view, and if the data were needed often enough in this form, you might want to define a new view that does so. If youíre in doubt, you can always compare the two methods using the EXPLAIN command to see how much of an efficiency boost you would gain from doing so.
Security and privacy protection are another issue that views can help to address. Letís look at a scenario involving employee records. Suppose we want to build an address book application for our company intranet allowing employees to obtain name, department, and internal contact information for other employees, but not giving access to confidential data such as salary history or home address and phone. We could define a view such as
CREATE VIEW address_book_view (fname, laname, dept, title, email, ext) AS
The address book application could then query this view as desired:
# List of mail room employees
These queries can include whatever sorting, filtering, and grouping criteria that are needed.
You donít have to worry about address book users obtaining confidential information like home telephone numbers, rates of pay, marital status, and so on, because that data is never available to themóor even to the programmers writing the address book application.
On the other hand, for the payroll department, a view such as this one would be more applicable:
CREATE VIEW payroll_view
By now, youíre probably getting the idea, but thereís more to keeping data secure than this. Not only do we sometimes need to prevent unauthorized par ties from reading certain types of information, but we must also be able to protect data from being overwritten when it shouldnít be. If you look back for a moment at the views that we created in the previous section, youíll recall that itís sometimes possible to update a view and thus update the data in the base table from which it derives. However, there are often times when we donít want this to happen. Some databases, like Oracle, allow you to deal with this type of situation by declaring a view to be read-only. MySQL doesnít afford this option.
So how do we accomplish this task? The answer lies in leveraging the MySQL privileges system, which applies to views in much the same way as it does to tables. For instance, we can use table-level permissions in such a way that users may access views but not their base tables. Still referring to the examples in the previous section, suppose we want to create a user named student who can access either of the big_cities or big_cities_students views, but not any of the base tables in the world database. You can create such a user using standard GRANT commands, as shown here:
This user then logs in using the MySQL Monitor, and runs a SELECT query on big_cities. However, when the user tries to run an UPDATE on this table, he or she gets an access denied error from MySQL:
When this user attempts to list all the tables and views in the world database, the user sees only those views for which he or she has been granted privileges on, just as with regular tables:
Then there is the question of users accessing information about how views are defined. First of all, you can rest assured that users canít find out whatís in base tables upon which they have no privileges by running a SHOW CREATE VIEW , as you can see here:
Users also cannot create views without restriction even on views (or tables) on which they have SELECT privileges, as shown here:
Beginning with MySQL 5.0.1, two new privilege types are introduced: the CREATE VIEW and SHOW CREATE VIEW privileges. Users must have the first of these privileges in order to create views and the second in order to see how existing views were created. In addition, users must have the proper privileges on the tables or views that they wish to use as the basis for new views.
Columns corresponding to these two privileges, named Create_view_priv and Show_view_priv, are added to the db, host, and user tables of the mysql database to accommodate these. Hereís the output of a SHOW CREATE TABLE statement showing how these columns are defined in the updated user table:
These privileges can be granted and revoked by setting the proper column values in the user, host, or db tables, or (preferably) through the use of one or more of the following:
A full discussion of these is beyond the scope of this chapter; however, if youíre familiar at all with the MySQL privilege system, you should not have a great deal of trouble figuring out how these commands ought to be used.
blog comments powered by Disqus