W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2015

Re: [whatwg] HTML6 single-page apps without Javascript proposal now on Github

From: Janusz Majnert <j.majnert@samsung.com>
Date: Wed, 25 Mar 2015 08:39:38 +0100
Message-id: <5512663A.3040408@samsung.com>
To: whatwg@lists.whatwg.org

On 24.03.2015 21:29, Bobby Mozumder wrote:
>> Also, I'm a little terrified of having SQL directly in the markup. There's
>> so much potential for that to go horribly wrong. Personally, I feel things
>> that involve data retrieval should be better handled by endpoints that
>> return HTML, XML, or JSON. Putting it in the user-accessible markup is
>> dangerous.
> It’s just an URL syntax that now allows for SQL statements.  It’s not the actual connection to a database.  If you connect to a remote server, the server can decide to grant you whatever authorization it wishes, through OAuth tokens in the header, through the URL syntax, or whatever.  And, for local databases, you can have full control if you want.
>> Some of these things you're asking the browser to do, I don't think the
>> browser should be doing. Fundamentally, web sites are a client/server
>> model, and we shouldn't heap on too much into the client side. Part of the
>> problem with that is the computational complexity (which is a problem in
>> developing countries where low end devices are the norm). The other part is
>> that you are essentially trusting the user device to be secure, which is a
>> terrible idea no matter how you slice it.
> I never said the client would be consider trusted.  Not sure where you got that?
> Right now, if when you request data via an API endpoint URL, the remote web server transforms that into an SQL query.
> This proposal lets you request data via an SQL syntax.  The remote web server would still need to transform that syntax into an SQL query that’s fit for the server.
> For example:
> 	SELECT first_name, last_name FROM users;
> would be transformed into:
> 	SELECT first_name, last_name FROM users WHERE manager="Boss Man";
> And this proposal also eliminates the need for a transformative app server when accessing local databases.

OK. This makes no sense for me.

So you propose that the server does simple translation of SQL from url 
to actual query, but you don't see any security issue with this?
If on the other hand you're proposing that the server validates the sql 
sent by client, then the simplest (and proven) solution is to have an 
API entry point that does the query that your client wants without any 
sql in the urls.

Janusz Majnert
Senior Software Engineer
Samsung R&D Institute Poland
Samsung Electronics
Received on Wednesday, 25 March 2015 07:40:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:29 UTC