MySQL: PHP or direct access?

[Dave Cragg]

Ralph,

See Peter's comments about non-security considerations too.

Also note I have no security qualifications other than a mix of paranoia and a sometimes suspicious mind. 

> 3) The client uses https requests. I am assuming that the URL itself is
> encrypted so any of the commands to my web service can't be sniffed.

I'm not sure about this. It probably can't be sniffed by a third party, but I'm wondering if it can be viewed by the user. For example, in a browser, you can usually use development tools to see the content of all requests, even if using https. If your application is structured as a standalone file plus a stack in a separate file, and all the functionality is in the separate file, can a user open that stack in the LC environment and add some url logging functionality to see what is going on? Perhaps. I'd assume the user can see what's happening.

> Does this model eliminate the need for parameterized queries?
> Can I send SQL from the client and be safe or do I need to set up some only
> known to me data structure for DB requests?

I'd answer "no" to both questions.

The typical way to handle this is to have any sql created in the server-side script. The then client app would make a url request that identifies the action to be taken and any parameters that are required. The server script would do some/all of the following:

- authenticate the user 
- run authorization checks (e.g. if the user passes in an ID for some resource, check that this user is authorized to see that resource, so Johnny can't see Susie's test results or whatever)
- sanitize any parameters that might be used in the sql query (using parameterized queries, or some other method)

Cheers
Dave