We closed this forum 18 June 2010. It has served us well since 2005 as the ALPHA forum did before it from 2002 to 2005. New discussions are ongoing at the new URL http://forum.processing.org. You'll need to sign up and get a new user account. We're sorry about that inconvenience, but we think it's better in the long run. The content on this forum will remain online.
IndexProgramming Questions & HelpOther Libraries › Security of SQL and Processing
Page Index Toggle Pages: 1
Security of SQL and Processing (Read 1477 times)
Security of SQL and Processing
Mar 24th, 2010, 8:23am
 
Hi, I'm using the SQL library to make an applet where people can draw and then save their sketch. The sketches are saved to an SQL database. However, I have some concerns about security. My SQL password is contained in the applet. How easy would it be for someone to obtain this and tamper with the database?
Also any general SQL/Processing security hints?

Thanks,
Rob
Re: Security of SQL and Processing
Reply #1 - Mar 24th, 2010, 9:34am
 
As you guessed, it is fundamentally insecure...
Direct SQL access should be done only with credentials provided by the user (so, authorized users), never hard-coded in the program (easy to decompile, etc.).
That's why most applets and Web applications actually dialog with a server which does the database access for the user: this, at least, limits the actions the applet can do on the database (if precautions against SQL injection are properly done, of course).
Re: Security of SQL and Processing
Reply #2 - Mar 24th, 2010, 11:18am
 
Thanks for the info. Could you point me in the right direction for setting up a permanently running server with my web host? How would that even work?

Cheers for any hinters,

Rob
Re: Security of SQL and Processing
Reply #3 - Mar 24th, 2010, 1:17pm
 
Since your host allows you to have a database (MySQL?), it seems a safe bet that you can also use PHP, Python, Perl, Ruby, and/or CGI...

PHP is probably the easy way to go. I don't know how easy, since I haven't done that yet... something to look into for a projec on the back-burner!

-spxl
Re: Security of SQL and Processing
Reply #4 - Mar 25th, 2010, 12:50am
 
Hiya, I've tried using php (it's how I actually did it before using the SQL library) but this didn't solve the problem because the password had to be saved in the php script instead, which I'd imagine is even easier to open. If I change the chmod settings though for the php file, can this protect it?
Re: Security of SQL and Processing
Reply #5 - Mar 25th, 2010, 4:59am
 
By definition, PHP files cannot be load/read from outside the server. If you try to download them, you execute them instead.
Re: Security of SQL and Processing
Reply #6 - Mar 25th, 2010, 5:51am
 
so it is relatively safe to store the password in the php file?
Re: Security of SQL and Processing
Reply #7 - Mar 25th, 2010, 9:43am
 
Relative to storing it in the applet, yes.

There are issues to deal with regarding other users on your server potentially having access to the PHP file source, but hopefully your host has sorted out some privacy for you.

This is the way that things like WordPress and many other PHP-based things work; they have database connection details in one of the PHP files.

-spxl
Page Index Toggle Pages: 1