- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Wed, 25 Mar 2015 01:07:22 -0700
- To: whatwg@lists.whatwg.org
On 03/25/2015 12:39 AM, Janusz Majnert wrote: > > OK. This makes no sense for me. > > So you propose that the server does simple translation of SQL from url > to actual query, but you don't see any security issue with this? > If on the other hand you're proposing that the server validates the sql > sent by client, then the simplest (and proven) solution is to have an > API entry point that does the query that your client wants without any > sql in the urls. Yes I have to agree with that, input needs to be validated on the server and preferably bound to a prepared statement, and that is something easiest to do with post/get variables that server side languages already are equipped to do w/o exposing table / column structure - and easily allows for different caching engines to be used as needed to reduce load on the SQL server.
Received on Wednesday, 25 March 2015 08:07:47 UTC