On-Rev mySQL security issues? -- or use an LC stack for the DB?
selander at tkf.att.ne.jp
Sun Nov 27 22:55:32 EST 2011
Appreciate the input... I've wondered about mySQL's license, too.
Here is additional info. My catalog is an archive of the radio
and TV programs we've aired. We will create the database and add
to it bit by bit behind the scenes. No data will be input through
the web/browser -- strictly look ups: Find all programs from year
1999 that had Mr. Suzuki as a guest, and listen to them; that
sort of thing. I've got a simple test working ok with mySQL, but
no input validation yet.
Do I need input validation if the web interface is search only?
Also, I understand that the new LC server available on on-rev.com
can serve stacks. Would it be less hassle/security risk to use a
data stack, or even a big text file, as the database? We'll
probably max out at 10,000 records or so... not breaking a sweat
for a sql database. Manageable on a stack? Need UTF8 (Japanese)
which is working nicely with the web/mysql combo...
Any thoughts on validation needs for lookups only? And on using a
stack or text file for the data? (Hmmm... how does the LC server
handle variables - limit on size?)
On 11/28/11 11:51 AM, Kay C Lan wrote:
> Hi Tim,
> Sounds like you and me are on the same par, so appreciate that I am no
> expert in this field, but I was able to achieve something similar to what
> you are doing through a lot of help from those on this List, either
> directly from posts or indirectly from their websites.
> My project involved no commercial or personal data, so your security
> concerns are likely to be at a higher level than my solution, so RevIgniter
> might be your best bet.
> For me I simply set up two additional accounts in postgreSQL (beyond my
> on-rev user account that has full Admin privileges), one that could add,
> modify and delete records (but not tables or dbs) and another that could
> only select records for viewing. I then set up two separate webpages, one
> that was for the person who could add, modify and delete records, and a
> completely separate webpage for the public to view the data.
> As an additionally security step, whenever a record needed to be deleted,
> the Admin User has to input certain key words, in certain key places in the
> webform otherwise it will not be processed. With Rev and it's strength with
> chunk expressions, looking for certain words in certain places is sooooo
> easy. I only included this because the data involved should never need
> deleting so for it to happen would be very unusual.
> The biggest help I got was the example - Simple Form - on Sarah's site:
> Once I crossed the hurdle of getting a web Form talking to On-Rev if my Rev
> database code worked on my desktop db, I could generally figure out how to
> get my on-rev code to talk to my on-rev db.
> Also very helpful was stuff from Andre's site:
> Can't remember specifically what Andre's site helped me with, he does so
> much both on his site and on this List it's like panning for gold, you know
> you've struck it rich if Andre has the answer. I think his Bootstrapping a
> CMS in 24h blog entry may have had some nuggets in it.
> Finally Pierre answered a post I had to the List titled 'on-rev+postgreSQL'
> which solved the missing part of the puzzle, how to add a little more
> security with different users. I decided to move away from mySQL to
> postgreSQL after reading so many mySQL license issues on this List, it
> seemed postgreSQL just made all that headache go away. The only problem was
> setting up additional users and their privileges wasn't as straight forward
> as it was with mySQL.
> Good luck.
> On Sat, Nov 26, 2011 at 11:51 PM, Tim Selander<selander at tkf.att.ne.jp>wrote:
>> I'm beginning to learn how to use<?rev scripts to access mysql databases
>> on my on-rev.com account.
>> I am going to allow users to search a catalog, but no uploading and no
>> data entry or data editing...
>> What, if any, security problems do I need to consider? mySQL newbie...
>> Tim Selander
>> Tokyo, Japan
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
More information about the Use-livecode