It is not ready yet, but...

[Rathinagiri]

Thanks Roberto.

This gives some insight into the subject. I think I have to read a LOT!

http://stackoverflow.com/questions/2821 ... t-involves

[Roberto Lopez]

http://stackoverflow.com/questions/2821 ... t-involves

After reading that thread, there is no so much hope

[Rathinagiri]

I think the combo of the two may work out.

A generic PHP script which can build a query from the necessary parameters.

var data = Querier({
table: "mytable",
columns: {"column1", "column2", "column3"},
where: {
column2: {
op: '=',
value: 'blablabla'
}
}
limit: "10"
});

In the script we can add some prefix to the table names and then build the query in the script using the available parameters.

[mol]

It's really hard theme to realize security policies...

[Roberto Lopez]

I think the combo of the two may work out.
<...>

Being such a sensitive theme, IMHO, the best way to go, is to keep JMG 'neutral' about this, so the user can make the decision that consider most convenient.

[serge_girard]

IMO the best is to keep all SQL stuff away from JS, so only in PHP.

Greetings, Serge

[luisvasquezcl]

Dear, IMHO, for security is not advisable to create the SQL statement in javascript since the database, however, is fully exposed is better to make a generic script in php for data manipulation.
Totally agree with Serge.
best regards
luis vasquez

[serge_girard]

And beware of (blind) SQL injection !
Each input must be checked, controlled and parsed before execution.

Serge

[Rathinagiri]

Thank you Serge. I do agree with you now. Obscurity is the starting point of security.

[serge_girard]

Best screening of user-input is done in 2 ways: Javascript on client and PHP on server.
Blind SQL injection are URL's like :

Code: Select all

http://hmgforum.com/viewtopic.php?f=50&t=4677&start=10 OR 1=1
OR
http://hmgforum.com/viewtopic.php?f=50&t=4677&start=10%20OR%201=1

Which can cause a lot trouble! Each parameter should carefully be inspected before assuming to be OK.

Serge