|© 2000 Roxen Internet Software
Suggestions, Comments or Complaints
Combining databases with the web has many uses. The web is very good for presenting data from databases and for making database driven applications available to the whole world. Roxen includes modules for database connections. These modules, together with such modules as Business Graphics and Wizard, makes it simple to do reports from databases as well as applications. Roxen also contains a module that uses a table stored in a SQL database for doing user authentication.
Roxen needs a Pike module to be installed if it is to connect to a certain kind of SQL database. By default, modules for the free databases ODBC, mSQL, MySQL and Postgres are provided. Modules for connecting to Oracle, Informix are available with the full Roxen Platform.
A connection to a database is specified with an URL-like syntax:driver://user name:password@host/database
The driver is one of informix, msql, mysql, postgres, odbc, oracle or sybase. The user name and password are used for authentication of the user to the database server, host is the host name of the machine running the database server and database specifies the name of the particular database on that database server.
Some drivers treat the host differently. The ODBC driver uses host as a name configured in the odbc.ini file.
You do usually not want to specify a full database URL in a RXML tag. With the SQL Databases module you can give symbolic names to database URLs. This makes it unnecessary to have any database passwords in the actual web pages. It also makes it possible to change databases without changes to the pages.
Your foremost security consideration when it comes to databases is to make sure that only the SQL queries you intend get sent to the database. This means handling user input in such a way that it can never change the actual SQL query. The RXML tags that connect to databases fo the necessary quoting by default, but if you write scripts you need to take care of the quoting yourself.
To reduce your risks, use the access control system of your database to make sure Roxen only has permission to do what it actually needs to do. If you use Roxen to provide reports from the database, Roxen should only be able to read tables, never modify them.