LiveCode Forums.

Questions and answers about the LiveCode platform.
https://www.forums.livecode.com/

Remote database access for commercial app

https://www.forums.livecode.com/viewtopic.php?f=7&t=17509

Page 1 of 1

Remote database access for commercial app

Posted: Sun Oct 13, 2013 3:41 pm
by Coffee1633
I set up a remote database on a cheapo web hosting site and used the % wildcard to allow access to the databases. Probably mistake number one. Then I used regular LC scripts to connect to the MySQL databases with the PW and username etc in the LC app. Mistake number two? Then I pass data back bad forth from the app. It works!! No mistakes there. With a local SQLite database I'm not too worried about security but with the remote DB I feel that I am doing something seriously wrong. Can anyone tell what I need to learn next to be able to use a remote database for a commercial app? It's probably a lot, right?

I watched a lot of Lynda.com database lessons but all of it was on the nuts and bolts of querys and SQL statements which was very helpful but nothing on remote database security for commercial apps

Coffee16

Re: Remote database access for commercial app

Posted: Sun Oct 13, 2013 5:22 pm
by bangkok
-first principle : security is never something "absolute". It has to be measured, evaluated in a "context".

My point : if your app is linked to cooking recipes, then... security would be a lower priority/issue than an app that contains the whole accounting data of a company. :)

-yes, to leave MySQL port opened to any connection from the outside world, is not really good. Especially if you keep the standard 3306 port number. At least you should change to avoid "scanning".
But again, if your app contains no valuable information, then no need to bother ?

-if you want security, you have to close totally MySQL from the outside world. Only "localhost" (127.0.0.1) would have access to the DB.

But then how your application can have access to the database ?

Very simple : use a LC script (with LiveCode Server) or a PHP script (very common) on the server. This special script is going to "receive" queries from your app (a simple POST to a URL, AKA the address of your script)

The script will then "forward" the queries to the database system, fetch the results, and then "display" the result to your app.

In your app, that would be :

Code: Select all

post tMyQuery to url ("http://mydatabaseserver.com/myscript.lc")
-with this scheme, be carefull with "SQL injection" attack. You can not allow your script to process ANY SQL query ! That would be too dangerous. The best strategy is to "cut" queries.
The app sends the last part (WHERE name=XXXX) and in your server script you hardcode the first part for instance (SELECT name FROM mydatabase)
And furthermore : add special functions to "sterilize" the data sent by the app : removing special characters like quote, comma, ; = etc.

-this scheme can be "reinforced" with several encryption systems (for instance, a powerfull public/private key system), to scramble the data sent and received between your app and the server script.

-other point : security is also resistance to done dammages. Therefore : backups. Automatic. The more you have, the best it is.

Good luck.
All times are UTC+01:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/