mySQL: PHP or direct access?

[William Prothero]

Peter:

> I'm probably still not understanding this completely, but how do I protect
> against SQL injection attacks when using a server side interface? I can do
> that very easily from within Livecode by using the parameterized variables
> available with the revdbxxx calls but it seems like I would have to
> implement my own version of that feature, perhaps by sending the statement
> with placeholders as one message followed the values for the placeholders
> in another.  I believe that's how it's done within the lc database library.
> 
> 
> Or perhaps the structure of every individual SQL statement I need in the
> application is known to the server side script and identified by an id of
> some sort.  My application would then send the statement id and a list of
> any required data values to the server side script instead of the SQL
> statement, thus no SQL statement ever crosses the connection.
> 
This is my understanding of the answer to your question (those who know more may correct me):

If the user does not have access to the sql command syntax, through a text entry field, or local file contents (which can be edited), then the system is “pretty” secure. However, this doesn’t prevent anybody from directly accessing your php code from another program.  They might get the query info from a user’s keylogger spyware, or some other way of monitoring unsecured internet traffic. A secure connection, using https should be secure. However, better practice would be to use tokens in the serverside code and have the serverside code assemble the final sql query. This also depends on how critical your sql data are, and how valuable it is.

You should also limit the privileges of the sql user to only those needed by your app. You probably don’t want them to be able to drop, and create new databases, for example.

Good luck,
Bill

William A. Prothero
http://es.earthednet.org/