On 24.03.2015 21:29, Bobby Mozumder wrote:
Also, I'm a little terrified of having SQL directly in the markup. There's
so much potential for that to go horribly wrong. Personally, I feel things
that involve data retrieval should be better handled by endpoints that
return HTML, XML, or JSON. Putting it in the user-accessible markup is
dangerous.

It’s just an URL syntax that now allows for SQL statements.  It’s not the 
actual connection to a database.  If you connect to a remote server, the server 
can decide to grant you whatever authorization it wishes, through OAuth tokens 
in the header, through the URL syntax, or whatever.  And, for local databases, 
you can have full control if you want.

Some of these things you're asking the browser to do, I don't think the
browser should be doing. Fundamentally, web sites are a client/server
model, and we shouldn't heap on too much into the client side. Part of the
problem with that is the computational complexity (which is a problem in
developing countries where low end devices are the norm). The other part is
that you are essentially trusting the user device to be secure, which is a
terrible idea no matter how you slice it.

I never said the client would be consider trusted.  Not sure where you got that?

Right now, if when you request data via an API endpoint URL, the remote web 
server transforms that into an SQL query.

This proposal lets you request data via an SQL syntax.  The remote web server 
would still need to transform that syntax into an SQL query that’s fit for the 
server.

For example:

        SELECT first_name, last_name FROM users;

would be transformed into:
        
        SELECT first_name, last_name FROM users WHERE manager="Boss Man";

And this proposal also eliminates the need for a transformative app server when 
accessing local databases.

OK. This makes no sense for me.

So you propose that the server does simple translation of SQL from url to actual query, but you don't see any security issue with this? If on the other hand you're proposing that the server validates the sql sent by client, then the simplest (and proven) solution is to have an API entry point that does the query that your client wants without any sql in the urls.



Regards,
Janusz Majnert
Senior Software Engineer
Samsung R&D Institute Poland
Samsung Electronics

Reply via email to