From: | Tyler MacDonald <tyler(at)yi(dot)org> |
---|---|
To: | Paul M Foster <paulf(at)quillandmouse(dot)com> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: Ajax/PostgreSQL |
Date: | 2006-08-05 23:32:27 |
Message-ID: | 20060805233226.GC9898@yi.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Paul M Foster <paulf(at)quillandmouse(dot)com> wrote:
> I'm doing some massive (internal company) applications using PHP, which
> query extensive PostgreSQL tables. This is fine, but obviously it often
> requires multiple web pages to get something done. Supposedly, AJAX
> promises to make web pages more interactive. But from what I understand,
> I'd have to have bindings from Javascript into PostgreSQL to make this
> work.
NO. NO. ABSOLUTELY NOT. That is an incredible security risk.
Javascript code runs on the client's browser and should not be allowed to
just send raw queries into a database.
Your javascript code should politely ask your server-side code to do
something, and your server-side code should very, *VERY* carefully inspect
the request before sanitizing, escaping, and *maybe* passing it on to
postgresql.
> Here's an example: The user wants to enter a bill (accounts payable)
> into the system. He first has to pick a vendor. Normally, this would
> entail a PHP page that generates a PostgreSQL query. The user would then
> get a second page with various vendor information (like number of due
> days for that vendor), and various other payable info. But wouldn't it
> be nice to have vendor information filled in on the original page,
> directly after the user picks a vendor? Theoretically, AJAX might allow
> something like this. But from what I can see, it would require
> PostgreSQL bindings in Javascript, and some way to pass the data back so
> that PHP could use it.
Have PHP serve as an intemediary between the Javascript on the
client browser and the database on your backend. Make sure your PHP looks at
everything the client is sending across very carefully. Pay special
attention to symbols that are used for quoting and escaping in SQL. Don't
hae the javascript think in terms of tables, just result sets, specific ones
that the PHP feeds it.
- Tyler
From | Date | Subject | |
---|---|---|---|
Next Message | Gavin M. Roy | 2006-08-05 23:32:50 | Re: Ajax/PostgreSQL |
Previous Message | Robby Russell | 2006-08-05 23:29:32 | missing chunk number 0 for toast value xxxxx |