On Thu, Jul 22, 2010 at 3:09 PM, Brian Bruns <brian@bruns.com> wrote:
> Hi Michael,
>
> We're still here at OSCON if you want to stop by.
>
> It's intended for use in applications, so it's really no different
> than using the native database APIs vis-a-vis security, all the same
> concerns apply.  We just make it easier to get to the database.
>
> Brian

Applications mask the queries though.

via PHP:

foo.php?file=1

via DBRelay:

/sql?sql=SELECT something FROM table WHERE file_id=somevariable

(of course URL encoded, blahblah)

Seems to me the model shouldn't be used for anything that would be an
information disclosure to anything sensitive. For instance, perhaps
you want a user's email address. well, depending on how it's done, you
could SHOW COLUMNS FROM user; or SELECT * FROM user; instead of SELECT
email FROM user ... right?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx