Thinking about it a bit further, I realized the flaw in my design. Even though MySQL, for example, has a user and access right management built-in, these rules are not sophisticated enough to differentiate between legitimate and illegitimate sql querys. Even though a user might have the right to write to a table, the sql engine itself cannot check, for example, if the user is allowed to overwrite a record created by another user. She may or may not, but this condition can only be checked programmatically. And since the client cannot be fully controlled by the programmer - attackers could simulate the client and forge malicious queries. Too bad - it seemed such an attractive idea.
I was thinking in terms of an xml database such as eXist, where one can skip an intermediate server-side scripted framework entirely and query the database directly from javascript. However, in contrast to an sql database, eXists can have built-in rulesets which control the legitimacy of queries by the database engine itself. Cheers, Christian Christian Boulanger schrieb: > Hello Siarhei, > > thank you for your thoughts. I know MVC from CakePHP (which is a PHP > equivalent of RoR) but it was exactly the problem that Cake forced me to > use MVC. With qooxdoo I do not need the "V" (View) part at all since in > CakePHP, it is based on the HTML-page way of doing things. The way I > need to style URLs for the Controller is does not fit the RPC model that > qooxdoo backend transport excels with. Leaves the "M" - the model. The > data, in my opinion, could be modeled at the client or the server level > and is separated from the view since it is not part of the widgets... > it would be its own class. And as to exposure of the database structure: > since I am writing open source applications, database structure is known > to anyone who cares to know to begin with - but I see that it would be > more vulnerable to attackers who analyze network traffic. > > Thanks, > > Christian > > Siarhei Barysiuk schrieb: > >> Hello, >> >> Exists a structure of application called MVC (exactly it's pattern in >> software architecture). >> MODEL-VIEW-CONTROLLER >> Model represent data in your Database. View renders this data. >> Controller processes user requests, changes data(model) and provides >> data to view. >> It's a good architecture. View doesn't know anything about data >> structure, it uses only Model. >> View is decoupling from data representation and business logic. >> >> In your idea data and view are coupling. May be this way seems simpler >> in small projects but >> it will become a headache when project starts growing. It's a bad >> practice to have a direct access >> to your data in view. Usage SQL queries in JS is potential insecure and >> shares >> your database structure. >> >> Of course it can be something like stubs in JavaScript which will >> forward your calls to server, business >> logic process request and return result. But it's exactly what you're >> doing now. Problem is only how to >> generate a model (something like as in RoR) with JS stubs. >> >> Siarhei Barysiuk >> >> Christian Boulanger wrote: >> >> >>> ... an additional advantage would be that the same application would work >>> with a variety of backends without any change. >>> >>> I was searching google to see if there is some project already that does >>> direct access to sql database via a javascript "active record" objects, >>> but have not found anything. Do you know of any projects? (And to save >>> your time: yes, I know that Ruby on Rails is great, but no, I cannot >>> invest the time in learning ruby / RoR right now). >>> >>> Christian >>> >>> >>> >>> >>>> Hello List, >>>> >>>> I have a backend design question for people who do transport and security >>>> stuff. I have so far coded the backend in PHP, which I know well. I don't >>>> know any other server-side language well and have no time to learn >>>> anything new. >>>> >>>> My qooxdoo application mainly needs data from a sql database such as >>>> mysql. I have tried a number of php backends such as CakePHP. I find, >>>> however, that they all introduced unneccessary overhead and I find that >>>> constantly having to switch between client-side javascript and server-side >>>> PHP logic slows me down significantly. >>>> >>>> Since I need the server basically to execute sql queries and deliver the >>>> data, I wonder if it wouldn't make sense to write a generic backend in PHP >>>> and other server-side languages which do nothing except authenticating and >>>> checking incoming sql queries for attacks like injection etc. and passing >>>> them to the chosen SQL backend. The sql engine is most efficient in >>>> processing the queries, it also has a sophisticated user authentication >>>> and access right system built right in - why introducing another layer? >>>> >>>> The goal would be to create an almost direct connection between javascript >>>> and the sql database and to create and manipulate the data model on the >>>> client directly. The JSON-RPC backend could be extended to handle these >>>> requests, so devlopers would not need to write custom code for sql queries >>>> on the server. One then could restrict one's work to javascript coding and >>>> administrating the sql database with a GUI tool. No more PHP, Java, etc... >>>> >>>> Do you see any performance and security problems with this approach? >>>> >>>> Christian >>>> >>>> >>>> >>>> ------------------------------------------------------------------------- >>>> This SF.net email is sponsored by DB2 Express >>>> Download DB2 Express C - the FREE version of DB2 express and take >>>> control of your XML. No limits. Just data. Click to get it now. >>>> http://sourceforge.net/powerbar/db2/ >>>> _______________________________________________ >>>> qooxdoo-devel mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel >>>> >>>> >>>> >>>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by DB2 Express >>> Download DB2 Express C - the FREE version of DB2 express and take >>> control of your XML. No limits. Just data. Click to get it now. >>> http://sourceforge.net/powerbar/db2/ >>> _______________________________________________ >>> qooxdoo-devel mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel >>> >>> >>> >>> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by DB2 Express >> Download DB2 Express C - the FREE version of DB2 express and take >> control of your XML. No limits. Just data. Click to get it now. >> http://sourceforge.net/powerbar/db2/ >> _______________________________________________ >> qooxdoo-devel mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel >> >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > qooxdoo-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ qooxdoo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
