mySQL: PHP or direct access?

Peter Haworth pete at lcsql.com
Thu Aug 13 23:05:50 CEST 2015


Thanks BIll.  I understand about the tokenization but Livecode can already
do that within a direct connection without a server side script and, at
least for mySQL, can open a direct connection using SSL.

It still seems to me that, once security matters are dealt with, the choice
of server side script versus direct connection is more a matter of
preferred application architecture more than anything else.

My simplistic approach has always to use Livecode to get something done if
it's possible for Livecode to do it and it's acceptably efficient, so just
trying to resolve why I would spend time to learn php and write and debug
 a bunch of php scripts when it feels like Livecode would work just fine.

On Thu, Aug 13, 2015 at 1:16 PM William Prothero <prothero at earthednet.org>
wrote:

> Peter:
>
> > I'm probably still not understanding this completely, but how do I
> protect
> > against SQL injection attacks when using a server side interface? I can
> do
> > that very easily from within Livecode by using the parameterized
> variables
> > available with the revdbxxx calls but it seems like I would have to
> > implement my own version of that feature, perhaps by sending the
> statement
> > with placeholders as one message followed the values for the placeholders
> > in another.  I believe that's how it's done within the lc database
> library.
> >
> >
> > Or perhaps the structure of every individual SQL statement I need in the
> > application is known to the server side script and identified by an id of
> > some sort.  My application would then send the statement id and a list of
> > any required data values to the server side script instead of the SQL
> > statement, thus no SQL statement ever crosses the connection.
> >
> This is my understanding of the answer to your question (those who know
> more may correct me):
>
> If the user does not have access to the sql command syntax, through a text
> entry field, or local file contents (which can be edited), then the system
> is “pretty” secure. However, this doesn’t prevent anybody from directly
> accessing your php code from another program.  They might get the query
> info from a user’s keylogger spyware, or some other way of monitoring
> unsecured internet traffic. A secure connection, using https should be
> secure. However, better practice would be to use tokens in the serverside
> code and have the serverside code assemble the final sql query. This also
> depends on how critical your sql data are, and how valuable it is.
>
> You should also limit the privileges of the sql user to only those needed
> by your app. You probably don’t want them to be able to drop, and create
> new databases, for example.
>
> Good luck,
> Bill
>
> William A. Prothero
> http://es.earthednet.org/
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


More information about the use-livecode mailing list