Updating web based db from client

[[RTS]BN+VS*]

Hey,

I have a mysql db (used for a site) on a linux server and want to approach it from a remote source. This remote source can be a desktop application, or another site.

I can request data using a php web service, but don't know how to do any write action without creating major security leaks. How can I authenticate a write request?

Cheers
BN

 

[cjard]

don't know how to do any write action without creating major security leaks

Can you be more specific?

How can I authenticate a write request?

Does mySQL not have a reasonably sophisticated user permissions system?

 

[[RTS]BN+VS*]

Hey,

So if i have a .net application that runs on client machines, how can I update my remote database? It can only be approached locally, so what I'm currently doing is calling a php script that does the actual data retrieval. I cannot use this to update my db since anyone can call that script...

I don't see how this has anything to do with the mysql permissions since the request isn't comming from the localhost.

Cheers
BN

 

[[RTS]BN+VS*]

No help?

I don't know how to do this in any language, so this isn't a vb specific problem, and with any rdbms, so this isn't mysql related either. (so no reason to put this topic in mysql section)

 

[cjard]

Er.. What I mean is, you expose your database to the client app and let permissions do the work.. Or you do it via PHP scripts (ugh; wouldn't remoting be better?) but still using the permissions

 

[[RTS]BN+VS*]

Er.. What I mean is, you expose your database to the client app and let permissions do the work..

Yes, but how does my db know the request isn't faked? Unless I'm mistaken, this can be done, and I have no idea how to validate that the request is not forged.

A small example (only the relevant code ofc), or a link to an article exmplaining how to do this would be very appreciated

Cheers
BN

 

[cjard]

You could use public/private key pair encryption of submitted SQLs and returned results, that way only clients using a key that has a correspondent installed on the server, can work. It can also be used to assert identity

 

[[RTS]BN+VS*]

Yes, that would go a great length in making it secure, but what is preventing someone from encoding a fake message? The public key stored in the client app can be found with some tools I think, is this correct?

And how do I approach my database (mysql in this case) from a client? The db is only approachable from localhost for obvious security reasons...

Cheers
BN