mySQL: PHP or direct access?

Peter Haworth pete at
Thu Aug 13 18:56:03 EDT 2015

Thanks Dave.  That's good info.

My questions are specifically related to mySQL which is able to accept
remote connections by design.

I see your point about passing the credentials but, as mentioned to Bill,
doesn't opening the database connection using SSL take care of that?  Same
for your point 3.

I also see your point about the need to update credentials on each client.
Don't have a follow up on that one :-)

I do like the idea of only a single connection to the db from the server
side script.  But don't you then start getting into multiple thread issues
for performance reasons?

Once again, just trying to understand all the implications before going
down the wrong path.

On Thu, Aug 13, 2015 at 3:08 PM Dave Cragg <dcragg at> wrote:

> > On 13 Aug 2015, at 22:44, Peter Haworth <pete at> wrote:
> >
> > I agree that SQL doesn't have much in the way of data sanitizing but
> > Livecode does.  I also agree that there must be a good reason why most of
> > the world uses server side scripting, just trying to understand exactly
> > what that is.
> >
> > I've been under the impression that if I use the variableslist parameter
> > available with the revDatabasexxx calls, I'm protected from SQL injection
> > attacks.  Even more so if I open the database connection using SSL. The
> > proverbial lightbulb will start to come on if that impression is wrong!
> I don't know your specific setup, but I'm assuming the general case that
> the database is accessed over the internet, and there are multiple users of
> your application. If your application accesses the database directly, you
> will need to configure the database to accept remote connections, and
> presumably somehow make the database credentials available to the
> application.
> 1. How to keep the credentials secure in the application?
> 2. If the credentials have to be updated, you would need to update all
> client applications.
> 3. You could be subject to remote attacks, especially if the database uses
> a standard port.
> If you go through a server side process such as php or livecode scripts,
> you only need to have the database accept connections from a single address
> (typically localhost if the database and script are running on the same
> server). And only the server side script needs to know the database
> credentials.
> Cheers
> Dave Cragg
> _______________________________________________
> use-livecode mailing list
> use-livecode at
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:

More information about the Use-livecode mailing list