> On 13 Aug 2015, at 22:44, Peter Haworth <p...@lcsql.com> wrote:
> 
> I agree that SQL doesn't have much in the way of data sanitizing but
> Livecode does.  I also agree that there must be a good reason why most of
> the world uses server side scripting, just trying to understand exactly
> what that is.
> 
> I've been under the impression that if I use the variableslist parameter
> available with the revDatabasexxx calls, I'm protected from SQL injection
> attacks.  Even more so if I open the database connection using SSL. The
> proverbial lightbulb will start to come on if that impression is wrong!

I don't know your specific setup, but I'm assuming the general case that the 
database is accessed over the internet, and there are multiple users of your 
application. If your application accesses the database directly, you will need 
to configure the database to accept remote connections, and presumably somehow 
make the database credentials available to the application. 

1. How to keep the credentials secure in the application?
2. If the credentials have to be updated, you would need to update all client 
applications.
3. You could be subject to remote attacks, especially if the database uses a 
standard port.

If you go through a server side process such as php or livecode scripts, you 
only need to have the database accept connections from a single address 
(typically localhost if the database and script are running on the same 
server). And only the server side script needs to know the database credentials.

Cheers
Dave Cragg
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Reply via email to