Processing 1.0 - Processing Discourse - Security of SQL and Processing

We closed this forum 18 June 2010. It has served us well since 2005 as the ALPHA forum did before it from 2002 to 2005. New discussions are ongoing at the new URL http://forum.processing.org. You'll need to sign up and get a new user account. We're sorry about that inconvenience, but we think it's better in the long run. The content on this forum will remain online.

Index › Programming Questions & Help › Other Libraries › Security of SQL and Processing

‹ Previous Topic | Next Topic ›

Pages: 1

Security of SQL and Processing (Read 1477 times)

brik

Security of SQL and Processing
Mar 24^th, 2010, 8:23am

Hi, I'm using the SQL library to make an applet where people can draw and then save their sketch. The sketches are saved to an SQL database. However, I have some concerns about security. My SQL password is contained in the applet. How easy would it be for someone to obtain this and tamper with the database?
Also any general SQL/Processing security hints?

Thanks,
Rob

PhiLho

Re: Security of SQL and Processing
Reply #1 - Mar 24^th, 2010, 9:34am

As you guessed, it is fundamentally insecure...
Direct SQL access should be done only with credentials provided by the user (so, authorized users), never hard-coded in the program (easy to decompile, etc.).
That's why most applets and Web applications actually dialog with a server which does the database access for the user: this, at least, limits the actions the applet can do on the database (if precautions against SQL injection are properly done, of course).

brik YaBB Newbies Offline Posts: 23	Re: Security of SQL and Processing Reply #2 - Mar 24^th, 2010, 11:18am Thanks for the info. Could you point me in the right direction for setting up a permanently running server with my web host? How would that even work? Cheers for any hinters, Rob

subpixel Senior Member Offline Posts: 261	Re: Security of SQL and Processing Reply #3 - Mar 24^th, 2010, 1:17pm Since your host allows you to have a database (MySQL?), it seems a safe bet that you can also use PHP, Python, Perl, Ruby, and/or CGI... PHP is probably the easy way to go. I don't know how easy, since I haven't done that yet... something to look into for a projec on the back-burner! -spxl
	Processing: subpixels.com, OpenProcessing.org \| VJ portfolio: SPXL.TV

brik YaBB Newbies Offline Posts: 23	Re: Security of SQL and Processing Reply #4 - Mar 25^th, 2010, 12:50am Hiya, I've tried using php (it's how I actually did it before using the SQL library) but this didn't solve the problem because the password had to be saved in the php script instead, which I'd imagine is even easier to open. If I change the chmod settings though for the php file, can this protect it?

PhiLho YaBB Moderator Offline Posts: 4190 Near Paris (France)	Re: Security of SQL and Processing Reply #5 - Mar 25^th, 2010, 4:59am By definition, PHP files cannot be load/read from outside the server. If you try to download them, you execute them instead.

brik YaBB Newbies Offline Posts: 23	Re: Security of SQL and Processing Reply #6 - Mar 25^th, 2010, 5:51am so it is relatively safe to store the password in the php file?

subpixel

Re: Security of SQL and Processing
Reply #7 - Mar 25^th, 2010, 9:43am

Relative to storing it in the applet, yes.

There are issues to deal with regarding other users on your server potentially having access to the PHP file source, but hopefully your host has sorted out some privacy for you.

This is the way that things like WordPress and many other PHP-based things work; they have database connection details in one of the PHP files.

-spxl

Processing: subpixels.com, OpenProcessing.org | VJ portfolio: SPXL.TV

Pages: 1

‹ Previous Topic | Next Topic ›