mySQL: PHP or direct access?

Mark Waddingham mark at livecode.com
Thu Aug 13 13:29:11 EDT 2015 

In general it is not advised to directly connect to databases over the Internet and it is considered better practice to front your db access through an http interface (which you could equally well implement in LC server running and connecting locally to the db on the server).

One reason to do this is that it helps separate the db from the API used to access it. This reduces the 'surface area of attack' to just the specific HTTP API you develop for your client to connect to. It also means you can separate the API from the DB scheme, making it easier to evolve, maintain and update.

Another reason (which is perhaps getting slightly less important as tech evolves) is that public wifi access points can restrict which ports you can access with some only allowing mail and web service access. As MySQL and other services will run on other ports to these, they would be inaccessible in some locations.

If this is an application running on a local network which can be secured itself the main reason would just be structure - ie the separation of the backend storage implementation from the API clients vector through to perform their functions.

Mark.

Sent from my iPhone

> On 13 Aug 2015, at 18:16, Peter Haworth <pete at lcsql.com> wrote:
> 
> What are the pluses and minuses you get from using php as a middleman to
> access a mySQL database on a server versus accessing the mySQL database
> directly from LC?
> 
> Web sources typically mention two main benefits: php runs on any platform,
> and it's easier to create dynamic web pages.  I think the first one really
> has to do with using php over any other server side language rather than
> direct vs indirect db access.
> 
> So assuming I have a Livecode application that does not generate dynamic
> web pages, what other reasons might there be to use php (or not)?  And if I
> do use php, how do I protect against sql injection attacks?
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list