Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.006
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'extent': 0.07; 'postgresql': 0.07; 'api': 0.09; 'app,': 0.09; 'commonly': 0.09; 'credentials,': 0.09; 'system;': 0.09; 'used)': 0.09; 'stored': 0.10; '"user': 0.16; 'db2,': 0.16; 'fancy': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'pov,': 0.16; 'require.': 0.16; 'mon,': 0.16; 'wrote:': 0.17; 'handles': 0.18; 'app': 0.19; 'feb': 0.19; 'regardless': 0.21; 'assuming': 0.22; 'features,': 0.22; 'setup,': 0.22; 'idea': 0.24; 'header:In-Reply-To:1': 0.25; 'am,': 0.27; 'structures': 0.27; 'message-id:@mail.gmail.com': 0.27; 'received:209.85.212': 0.28; 'environment': 0.29; 'end,': 0.29; 'restricted': 0.29; 'source': 0.29; 'connection': 0.30; 'stuff': 0.30; 'structure': 0.32; 'could': 0.32; 'to:addr:python-list': 0.33; 'front': 0.33; 'recommended': 0.33; 'agree': 0.34; 'received:google.com': 0.34; 'open': 0.35; 'doing': 0.35; 'subject:?': 0.35; 'received:209.85': 0.35; 'there': 0.35; 'but': 0.36; 'itself': 0.37; 'level': 0.37; 'two': 0.37; 'being': 0.37; 'received:209': 0.37; 'far': 0.37; 'subject:: ': 0.38; 'login': 0.38; 'to:addr:python.org': 0.39; 'end': 0.40; 'your': 0.60; 'skip:n 10': 0.63; 'services': 0.64; 'absolutely': 0.84; '2013': 0.84; 'packaged': 0.84; 'risks.': 0.84; 'subject:over': 0.84; 'end-user': 0.91; 'exposing': 0.91; 'grew': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=wsGSWk7mzZtkoj8mpbNEoTkTtOfwzrcsoU/U3qqZn8U=; b=X0qBCAt4YVMIuQ94ELq/zso/Lqdk4vXdIwuixqcl5bDJ8FbLZ4JmEZHH8FZXByUSmH wiSEOExAHiXzsHNit9InYn0j8vaVfDkCC4FMiEcnn7r3yyHngSQfPaTjAVlCZixFua1x pueeqsZ70krL0AJ1qyLR6P1b5jMB3wy/OQCGms4AFq3IhTHcWFF1UuyHKlZSQc19NYdZ h3BCUd86lvHltmXSZMuBjwvZK8Es4AeXTC05yVM99hBMu4uyo8bGCyhJaOevRBLElhEm XH+u+YFOAF++rAyikf1EZH9RMrdaRCBLvDTvAqvcrMmUCWPyOIUm3uWHmhD7XS6K6VFu bBjA==
MIME-Version: 1.0
X-Received: by 10.52.22.194 with SMTP id g2mr7614341vdf.91.1361717922759; Sun, 24 Feb 2013 06:58:42 -0800 (PST)
In-Reply-To: <20130224153134.4cab73a958ac7d1af476ae3d@gmx.net>
References: <mailman.2180.1361463791.2939.python-list@python.org> <20130222164513.9377097f0cf2add2a6d16204@gmx.net> <kg87jq$kfd$1@ger.gmane.org> <CAO+9iGdCtzkkp=p5aA96qA9wqz+QDHc8mZTKwqUqpcd1ZUfFuA@mail.gmail.com> <kg8p5a$9en$1@ger.gmane.org> <mailman.2312.1361576247.2939.python-list@python.org> <20130224153134.4cab73a958ac7d1af476ae3d@gmx.net>
Date: Mon, 25 Feb 2013 01:58:42 +1100
Subject: Re: PyQT app accessible over network?
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.2408.1361717925.2939.python-list@python.org>
Lines: 25
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1361717925 news.xs4all.nl 6853 [2001:888:2000:d::a6]:34588
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:39749

On Mon, Feb 25, 2013 at 1:31 AM, Wolfgang Keller <feliphil@gmx.net> wrote:
>> As far as doing client/server stuff with just a database engine,
>> unless you have tight control over the environment end to end, from a
>> security pov, it's not a good idea to expose the database engine
>> itself to the internet.  Better to put a restricted web services API
>> in front of it that handles all the authorization needs
>> (access-control) on the detailed level that you require.
>
> Excuse me but that's bullshit.

I don't use the term but I absolutely agree with the sentiment. Of
course, if you're assuming a MySQL setup, then yes, exposing the
database engine directly would have risks. But I grew up with DB2, and
there were MANY ways in which you could control exactly what people
could do (views and stored procedures being the two easiest/most
commonly used) - to the extent that one of the recommended
organizational structures was to have the end-user login actually *be*
the database connection credentials, and to have your fancy app just
connect remotely. There's a guarantee that someone who logs in as a
non-administrator cannot access administrative functionality.
PostgreSQL has all those same features, packaged up in an open source
system; MySQL has a philosophical structure of "user logs in to app,
but app logs in to database as superuser regardless of user login".

ChrisA