PyQT app accessible over network?

Chris Angelico rosuav at gmail.com
Sun Feb 24 15:58:42 CET 2013


On Mon, Feb 25, 2013 at 1:31 AM, Wolfgang Keller <feliphil at gmx.net> wrote:
>> As far as doing client/server stuff with just a database engine,
>> unless you have tight control over the environment end to end, from a
>> security pov, it's not a good idea to expose the database engine
>> itself to the internet.  Better to put a restricted web services API
>> in front of it that handles all the authorization needs
>> (access-control) on the detailed level that you require.
>
> Excuse me but that's bullshit.

I don't use the term but I absolutely agree with the sentiment. Of
course, if you're assuming a MySQL setup, then yes, exposing the
database engine directly would have risks. But I grew up with DB2, and
there were MANY ways in which you could control exactly what people
could do (views and stored procedures being the two easiest/most
commonly used) - to the extent that one of the recommended
organizational structures was to have the end-user login actually *be*
the database connection credentials, and to have your fancy app just
connect remotely. There's a guarantee that someone who logs in as a
non-administrator cannot access administrative functionality.
PostgreSQL has all those same features, packaged up in an open source
system; MySQL has a philosophical structure of "user logs in to app,
but app logs in to database as superuser regardless of user login".

ChrisA



More information about the Python-list mailing list