mySQL: PHP or direct access?

Dave Cragg dcragg at lacscentre.co.uk
Fri Aug 14 00:08:28 CEST 2015


> On 13 Aug 2015, at 22:44, Peter Haworth <pete at lcsql.com> wrote:
> 
> I agree that SQL doesn't have much in the way of data sanitizing but
> Livecode does.  I also agree that there must be a good reason why most of
> the world uses server side scripting, just trying to understand exactly
> what that is.
> 
> I've been under the impression that if I use the variableslist parameter
> available with the revDatabasexxx calls, I'm protected from SQL injection
> attacks.  Even more so if I open the database connection using SSL. The
> proverbial lightbulb will start to come on if that impression is wrong!


I don't know your specific setup, but I'm assuming the general case that the database is accessed over the internet, and there are multiple users of your application. If your application accesses the database directly, you will need to configure the database to accept remote connections, and presumably somehow make the database credentials available to the application. 

1. How to keep the credentials secure in the application?
2. If the credentials have to be updated, you would need to update all client applications.
3. You could be subject to remote attacks, especially if the database uses a standard port.

If you go through a server side process such as php or livecode scripts, you only need to have the database accept connections from a single address (typically localhost if the database and script are running on the same server). And only the server side script needs to know the database credentials.

Cheers
Dave Cragg


More information about the use-livecode mailing list