Introduction
  Installing
  Handling
  Virtual servers
  Modules
  Filesystems
  RXML tags
  Graphics
  Proxy
  Miscellaneous modules
  Security considerations
  Scripting
  Databases
    SQL module
    SQL databases
    SQL user database
    ODBC
  LDAP
  FrontPage
  Upgrading
  Third party extensions
  Portability
  Reporting bugs
  Appendix
 
Databases

Combining databases with the web has many uses. The web is very good for presenting data from databases and for making database driven applications available to the whole world. Challenger includes modules for database connections. These modules, together with such modules as Business Graphics and Wizard, makes it simple to do reports from databases as well as applications. Challenger also contains a module that uses a table stored in a SQL database for doing user authentication.

Challenger needs a Pike module to be installed if it is to connect to a certain kind of SQL database. By default, modules for the free databases ODBC, mSQL, MySQL and Postgres are provided. Modules for connecting to Oracle, Informix are available with the full Roxen Platform.

Database URLs
A connection to a database is specified with an URL-like syntax:

dbtype://user:password@db.host/dbname
The database type dbtype is one of msql, mysql, postgres, or odbc. The user and password are used for authentication of the user in the database server, db.host is the name of the machine running the database server and dbname specifies the name of the particular database.

Symbolic names
You do usually not want to specify a full database URL in a RXML tag. With the SQL Databases module you can give symbolic names to database URLs. This makes it unnecessary to have any database passwords in the actual web pages. It also makes it possible to change databases without changes to the pages.

Security considerations
Your foremost security consideration when it comes to databases is to make sure that only the SQL queries you intend get sent to the database. This means handling user input in such a way that it can never change the actual SQL query. This is done through quoting. The formoutput page in the Web Site Creator manual documents shows how to do it in RXML.

To reduce your risks, use the access control system of your database to make sure Challenger only has permission to do what it actually needs to do. If you use Challenger to provide reports from the database, Challenger should only be able to read tables, never modify them.