On Thu, Jul 22, 2010 at 3:09 PM, Brian B. [email protected] wrote:
We’re still here at OSCON if you want to stop by.
It’s intended for use in applications, so it’s really no different
than using the native database APIs vis-a-vis security, all the same
concerns apply. Â We just make it easier to get to the database.
Applications mask the queries though.
/sql?sql=SELECT something FROM table WHERE file_id=somevariable
(of course URL encoded, blahblah)
Seems to me the model shouldn’t be used for anything that would be an
information disclosure to anything sensitive. For instance, perhaps
you want a user’s email address. well, depending on how it’s done, you
could SHOW COLUMNS FROM user; or SELECT * FROM user; instead of SELECT
email FROM user … right?