On-Rev mySQL security issues?

Sun Nov 27 21:51:49 EST 2011

Hi Tim,

Sounds like you and me are on the same par, so appreciate that I am no
expert in this field, but I was able to achieve something similar to what
you are doing through a lot of help from those on this List, either
directly from posts or indirectly from their websites.

My project involved no commercial or personal data, so your security
concerns are likely to be at a higher level than my solution, so RevIgniter
might be your best bet.

For me I simply set up two additional accounts in postgreSQL (beyond my
on-rev user account that has full Admin privileges), one that could add,
modify and delete records (but not tables or dbs) and another that could
only select records for viewing. I then set up two separate webpages, one
that was for the person who could add, modify and delete records, and a
completely separate webpage for the public to view the data.

As an additionally security step, whenever a record needed to be deleted,
the Admin User has to input certain key words, in certain key places in the
webform otherwise it will not be processed. With Rev and it's strength with
chunk expressions, looking for certain words in certain places is sooooo
easy. I only included this because the data involved should never need
deleting so for it to happen would be very unusual.

The biggest help I got was the example - Simple Form - on Sarah's site:

http://www.troz.net/onrev/

Once I crossed the hurdle of getting a web Form talking to On-Rev if my Rev
database code worked on my desktop db, I could generally figure out how to
get my on-rev code to talk to my on-rev db.

Also very helpful was stuff from Andre's site:

http://www.andregarzia.com/blog

Can't remember specifically what Andre's site helped me with, he does so
much both on his site and on this List it's like panning for gold, you know
you've struck it rich if Andre has the answer. I think his Bootstrapping a
CMS in 24h blog entry may have had some nuggets in it.

Finally Pierre answered a post I had to the List titled 'on-rev+postgreSQL'
which solved the missing part of the puzzle, how to add a little more
security with different users. I decided to move away from mySQL to
postgreSQL after reading so many mySQL license issues on this List, it
seemed postgreSQL just made all that headache go away. The only problem was
setting up additional users and their privileges wasn't as straight forward
as it was with mySQL.

Good luck.

On Sat, Nov 26, 2011 at 11:51 PM, Tim Selander <selander at tkf.att.ne.jp>wrote:

> Hi,
>
> I'm beginning to learn how to use <?rev scripts to access mysql databases
> on my on-rev.com account.
>
> I am going to allow users to search a catalog, but no uploading and no
> data entry or data editing...
>
> What, if any, security problems do I need to consider? mySQL newbie...
>
> Thanks,
>
> Tim Selander
> Tokyo, Japan
>
> ______________________________**_________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/**mailman/listinfo/use-livecode<http://lists.runrev.com/mailman/listinfo/use-livecode>
>