counter customizable free hit

Friday, January 20, 2006

XML - Using MySQL with AJAX (part 2)

When I suggested MySQL had a big part to play in the X of AJAX it was more of a case throwing ideas into the ether than any solid or contrived plan. My initial thoughts were simply to allow the web server to talk directly with MySQL and return the XML needed for a give select statement. The goal was to avoid the normal middle stage of using some sort of scripting to accept the statement, call a standard MySQL select and process this into an XML format. Something along the lines of MySQL being an XML factory where you pass the select and MySQL directly passes back the XML.

Some great ideas have been suggested, mainly around using --xml to format the output directly from the command line, which would interact with Apache by a module. I've been able to knock up a Perl program which is capable of doing this but it's raised more concerns than solid answers.

When I looked at this more closely the immediate thing was how unsecured the whole thing would be, not so much unsecured as completely open in fact. The original idea was to essentially call MySQL directly from JavaScript (via the web server) but that would mean having the select statement, or at least the table and column names visible in the JavaScript. There would be no way to secure that without some level in between.

The original post in fact wasn't suggesting that we interface directly with MySQL as it currently is, it was more of a look into the future to see where for example stored procedures could be taken. The idea would have been to use stored procedures to accept parameters which were then turned in select statements and XML returned, that way we could at least avoid the potential of SQL injection attacks, or people simply calling SQL statements at will.

Don't get me wrong the ideas have been great and I'm still confident MySQL can be central in an AJAX system in the way suggested, but maybe not with the minimal number of levels I might have first envisaged.


Post a Comment

<< Home