Thread: javascript and postgres
Hello all. My javascript connects with postgres using php. php responds with XML for my select request. I wonder is there any way to access to postgres directly? I mean like this. new PGSQL.Request ( 'postgres.server.com' ,{ ,port: 5432 ,sql : 'select * from bra' ,asynchronous : true ,parameters : '' ,onComplete : fetch_function ,onLoaded : function(){ $( 'status' ).innerHTML="Loading..."; } ,onFailure : function(){ $( 'status' ).innerHTML= "error"; } } ); regards
野村 wrote: > Hello all. > > My javascript connects with postgres using php. > php responds with XML for my select request. > I wonder is there any way to access to postgres directly? Nothing stops you passing SQL snippets from JavaScript into your PHP code, which then dispatches then to the server and returns the results. This is a really, really, REALLY bad idea. It allows anybody with the ability to access your XML-RPC interface for PHP (say via XMLHttpRequest in their browser) to send whatever SQL code they want to your server. Do not do this unless you would also be comfortable opening the PostgreSQL server port for direct Internet access and publishing the username and password to use on your website. That's effectively what you would be doing. -- Craig Ringer
野村 wrote: > Hello all. > > My javascript connects with postgres using php. > php responds with XML for my select request. > I wonder is there any way to access to postgres directly? > if you mean client side Javascript running on the end users web browser, no, it should NOT be allowed to connect to a database server directly. that would be a big security exposure, as well as probably trigger all kind of security alerts on the webbrowser side.
On Mon, Feb 23, 2009 at 11:54 PM, Craig Ringer <craig@postnewspapers.com.au> wrote: > 野村 wrote: >> Hello all. >> >> My javascript connects with postgres using php. >> php responds with XML for my select request. >> I wonder is there any way to access to postgres directly? > > Nothing stops you passing SQL snippets from JavaScript into your PHP > code, which then dispatches then to the server and returns the results. > > This is a really, really, REALLY bad idea. It allows anybody with the > ability to access your XML-RPC interface for PHP (say via XMLHttpRequest > in their browser) to send whatever SQL code they want to your server. Note however that there is such a beast as server side javascript. http://en.wikipedia.org/wiki/Server-side_JavaScript
thanks for replies. Craig Ringer wrote: >This is a really, really, REALLY bad idea. I agree. John R Pierce wrote: > if you mean client side Javascript running on the end users web browser, > no, it should NOT be allowed to connect to a database server directly. Web pages have username and password with basic, digest or ldap authorization. So if I createuser with same user and password, and if there is md5 or something to encode password, I wonder javascript connects to postgres securely. As John said, I meant client side Javascript. regards
野村 wrote: > Web pages have username and password with basic, digest or ldap > authorization. So if I createuser with same user and password, and if > there is md5 or something to encode password, I wonder javascript > connects to postgres securely. > for that to work, irregardless of security aspects, the postgres client libraries would have to be installed on each web browser system, in a form that javascript could invoke. However, I've not heard of any javascript -> postgres bindings suitable for use in a webbrowser context... Javascript in a webbrowser is running in a sort of sandbox and isn't supposed to be allowed to make its own network connections, or call system libraries directly, allowing this would be a gross security flaw (for instance, a hostile web page could take over a users computer).