On 03/25/2015 12:39 AM, Janusz Majnert wrote:
OK. This makes no sense for me. So you propose that the server does simple translation of SQL from url to actual query, but you don't see any security issue with this? If on the other hand you're proposing that the server validates the sql sent by client, then the simplest (and proven) solution is to have an API entry point that does the query that your client wants without any sql in the urls.
Yes I have to agree with that, input needs to be validated on the server and preferably bound to a prepared statement, and that is something easiest to do with post/get variables that server side languages already are equipped to do w/o exposing table / column structure - and easily allows for different caching engines to be used as needed to reduce load on the SQL server.
