mySQL: PHP or direct access?

Peter Haworth pete at lcsql.com
Thu Aug 13 23:44:10 CEST 2015


I agree that SQL doesn't have much in the way of data sanitizing but
Livecode does.  I also agree that there must be a good reason why most of
the world uses server side scripting, just trying to understand exactly
what that is.

I've been under the impression that if I use the variableslist parameter
available with the revDatabasexxx calls, I'm protected from SQL injection
attacks.  Even more so if I open the database connection using SSL. The
proverbial lightbulb will start to come on if that impression is wrong!


On Thu, Aug 13, 2015 at 2:27 PM Richard Gaskin <ambassador at fourthworld.com>
wrote:

> Peter Haworth wrote:
> > It still seems to me that, once security matters are dealt with, the
> choice
> > of server side script versus direct connection is more a matter of
> > preferred application architecture more than anything else.
>
> Ah, but there's the rub, "once security matters are dealt with".
>
> Correct me if I'm wrong, but as a storage-specific language I don't
> believe SQL offers as much for sanitizing as PHP, Ruby, LiveCode, and
> other more general languages.
>
> I think there's a good reason most of the world protects their DBs from
> open exposure to the Internet via an intermediary scripting language,
> more than just for the convenience of making REST APIs.
>
> --
>   Richard Gaskin
>   Fourth World Systems
>   Software Design and Development for the Desktop, Mobile, and the Web
>   ____________________________________________________________________
>   Ambassador at FourthWorld.com                http://www.FourthWorld.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>


More information about the use-livecode mailing list