Databases
Combining databases with the web has many uses. The web is very good
for presenting data from databases and for making database driven
applications available to the whole world. Challenger includes modules
for database connections. These modules, together with such modules as
Business Graphics and Wizard, makes
it simple to do reports from databases as well as applications.
Challenger also contains a module that uses a table stored in a SQL
database for doing user authentication.
Challenger needs a Pike module to be installed if it is to connect
to a certain kind of SQL database. By default, modules for the free
databases ODBC, mSQL, MySQL and Postgres are provided. Modules for
connecting to Oracle, Informix are available with the full Roxen
Platform.
Database URLs
A connection to a database is specified with an URL-like syntax:
dbtype://user:password@db.host/dbname
The database type dbtype is one of msql, mysql, postgres, or
odbc. The user and password are used for authentication
of the user in the database server, db.host is the name of the
machine running the database server and dbname specifies the
name of the particular database.
Symbolic names
You do usually not want to specify a full database URL in a RXML tag.
With the SQL Databases module you can give symbolic
names to database URLs. This makes it unnecessary to have any database
passwords in the actual web pages. It also makes it possible to change
databases without changes to the pages.
Security considerations
Your foremost security consideration when it comes to databases is to
make sure that only the SQL queries you intend get sent to the
database. This means handling user input in such a way that it can
never change the actual SQL query. This is done through quoting. The
formoutput page in
the Web Site Creator manual documents shows how to do it in RXML.
To reduce your risks, use the access control system of your
database to make sure Challenger only has permission to do what it
actually needs to do. If you use Challenger to provide reports from
the database, Challenger should only be able to read tables, never
modify them.
|