[RevServer tips] Spreading the load or why wise developers use asynchronous workflows
Pierre Sahores
psahores at free.fr
Wed Aug 4 17:29:41 EDT 2010
Please, follow the Andre's and Jeff's explainations as closely as possibe. It's realy important, if you don't want to get your dbs and, secondly, your accounts hacked in just some attempts.
Best, Pierre
RIA or Web served n-tier apps don't never need to provide a public access to SQL back-end. In setting the SQL servers to allow localhost or LAN access only via application's servers or cgis, we are sure to get the best from our SQL db without having to care about unneeded security glichies.
Le 4 août 2010 à 22:26, Andre Garzia a écrit :
> Jan,
>
> Will write a piece on this shortly, this is a big no no no!
>
> my lib RevSpark was created to serve exactly that situation where you need
> to be able to create simple CGIs that do not require complex views and
> stuff. I created it specifically to serve as an easy way to built RESTful
> services for database interaction.
>
> http://hg.andregarzia.com/revspark
>
> :D
>
> On Wed, Aug 4, 2010 at 5:20 PM, Jeff Massung <massung at gmail.com> wrote:
>
>> Never, ever, ever do this. ;-)
>>
>> It's basically asking for someone to hack - and nuke - your database out
>> from under you. You never want to connect to it remotely, and you never
>> want
>> to send SQL commands to it directly. Use an intermediate layer.
>>
>> For example, have a server process that accepts incoming connections and
>> [indirect] commands that will end up modifying the database. But that
>> process is capable of doing a lot of security checks:
>>
>> - Logins + permissions
>> - DOS attack checks
>> - Ensure validity of actions
>> - Much more...
>>
>> The 3rd one there is probably most important. Instead of having a remote
>> app
>> send direct SQL commands to a remotely hosted database, you create action
>> commands that end up performing the correct SQL under-the-hood.
>>
>> This has *many* advantages:
>>
>> - Clients have no direct access to the database (which may hold the data
>> for
>> many clients)
>> - You can change your data schema without a client ever knowing, and no
>> application updates are required.
>> - The data storage method is hidden from potential hackers.
>> - Much more...
>>
>> Jeff M.
>>
>> On Wed, Aug 4, 2010 at 3:10 PM, Bob Sneidar <bobs at twft.com> wrote:
>>
>>> Hi Jan.
>>>
>>> Is accessing your database directly from a remote location taboo? I'm
>>> developing an app that does exactly that!
>>>
>>> Bob
>>>
>>>
>>>
>> _______________________________________________
>> use-revolution mailing list
>> use-revolution at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-revolution
>>
>
>
>
> --
> http://www.andregarzia.com All We Do Is Code.
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
--
Pierre Sahores
mobile : (33) 6 03 95 77 70
www.woooooooords.com
www.sahores-conseil.com
More information about the use-livecode
mailing list