W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2015

Re: [whatwg] HTML6 single-page apps without Javascript proposal now on Github

From: Michael A. Peters <mpeters@domblogger.net>
Date: Wed, 25 Mar 2015 01:07:22 -0700
Message-ID: <55126CBA.8080008@domblogger.net>
To: whatwg@lists.whatwg.org

On 03/25/2015 12:39 AM, Janusz Majnert wrote:

> OK. This makes no sense for me.
> So you propose that the server does simple translation of SQL from url
> to actual query, but you don't see any security issue with this?
> If on the other hand you're proposing that the server validates the sql
> sent by client, then the simplest (and proven) solution is to have an
> API entry point that does the query that your client wants without any
> sql in the urls.

Yes I have to agree with that, input needs to be validated on the server 
and preferably bound to a prepared statement, and that is something 
easiest to do with post/get variables that server side languages already 
are equipped to do w/o exposing table / column structure - and easily 
allows for different caching engines to be used as needed to reduce load 
on the SQL server.
Received on Wednesday, 25 March 2015 08:07:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:29 UTC