Re: javascript and postgres

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: 野村 <nomura(at)ir-alt(dot)co(dot)jp>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: javascript and postgres
Date: 2009-02-24 06:54:20
Message-ID: 49A3999C.5060102@postnewspapers.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

野村 wrote:
> Hello all.
>
> My javascript connects with postgres using php.
> php responds with XML for my select request.
> I wonder is there any way to access to postgres directly?

Nothing stops you passing SQL snippets from JavaScript into your PHP
code, which then dispatches then to the server and returns the results.

This is a really, really, REALLY bad idea. It allows anybody with the
ability to access your XML-RPC interface for PHP (say via XMLHttpRequest
in their browser) to send whatever SQL code they want to your server.

Do not do this unless you would also be comfortable opening the
PostgreSQL server port for direct Internet access and publishing the
username and password to use on your website. That's effectively what
you would be doing.

--
Craig Ringer

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message John R Pierce 2009-02-24 06:54:27 Re: javascript and postgres
Previous Message Jordan Tomkinson 2009-02-24 06:26:29 Re: High cpu usage after many inserts