mySQL: PHP or direct access?
prothero at earthednet.org
Thu Aug 13 18:02:48 EDT 2015
The answer to the question is “where does the security failure occur?” The weak link is the transmission of the command from the local computer to the server. If you tokenize the command at the local computer level, you still have the problem. The remote server can be accessed by anybody (theoretically). So, suppose your remote server will accept an arbitrary sql command. On your local machine, tokenizing the sql command will prevent the user of your application from (possibly) creating a destructive sql command. But, the outside world can still initiate that command because the source is outside your application.
I hope that makes sense.
> On Aug 13, 2015, at 2:44 PM, Peter Haworth <pete at lcsql.com> wrote:
> I agree that SQL doesn't have much in the way of data sanitizing but
> Livecode does. I also agree that there must be a good reason why most of
> the world uses server side scripting, just trying to understand exactly
> what that is.
> I've been under the impression that if I use the variableslist parameter
> available with the revDatabasexxx calls, I'm protected from SQL injection
> attacks. Even more so if I open the database connection using SSL. The
> proverbial lightbulb will start to come on if that impression is wrong!
> On Thu, Aug 13, 2015 at 2:27 PM Richard Gaskin <ambassador at fourthworld.com>
>> Peter Haworth wrote:
>>> It still seems to me that, once security matters are dealt with, the
>>> of server side script versus direct connection is more a matter of
>>> preferred application architecture more than anything else.
>> Ah, but there's the rub, "once security matters are dealt with".
>> Correct me if I'm wrong, but as a storage-specific language I don't
>> believe SQL offers as much for sanitizing as PHP, Ruby, LiveCode, and
>> other more general languages.
>> I think there's a good reason most of the world protects their DBs from
>> open exposure to the Internet via an intermediary scripting language,
>> more than just for the convenience of making REST APIs.
>> Richard Gaskin
>> Fourth World Systems
>> Software Design and Development for the Desktop, Mobile, and the Web
>> Ambassador at FourthWorld.com http://www.FourthWorld.com
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
More information about the use-livecode