I am a developer who wants to be able to make cross-platform applications and have came across Xamarin and React Native.
Since the language that Xamarin uses is C#, this means that the code has to be compiled before the application can be run. React Native, however, uses JavaScript. Since JavaScript source code can be seen on websites, and is downloaded into the webpage unlike PHP, this means that the user on the client end can easily view the source code. If the user is able to get to the source code easily and the application in question connects to a database, this means they would be able to view the password, making the application insecure.
The question is, if I where to make an application which connects to a MySQL using React Native, would the user be able to easily view the source code like they can on a webpage, or is it compiled like Xamarin is, making it harder to view the source code?
The javascript does not compile to native code. It uses a bridge to communicate between javascript/native components. JS is obfuscated but that is about it. You should not be storing any secrets client side.
See: https://github.com/facebook/react-native/issues/1093
'As #vjeux said, we have no immediate plans to add encryption for JS bundle files, and yes, under the currently recommended bundling instructions, your JS will be included as plaintext that can be extracted and de-obfuscated with relative ease.'
He goes on to mention a way to base64 encode the jsbundle to deter 'casual' hackers but then explains it will not stop a 'determined hacker'.
You should not connect the client directly to the DB. You need a secure server to handle authentication, and retrieve and validate db queries.
Nothing is secure on client. So you must validate all db queries before calling the db with them. See: https://www.acunetix.com/websitesecurity/sql-injection/ 'An SQL Injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query.'
By allowing the client to directly connect to the DB, you cannot prevent the oldest of attacks.
Related
I use swagger to generate both client/server api code. On my frontend (react/ts/axios), integrating the generated code is very easy: I make a change to my spec, consume the new version through NPM, and immediately the new API methods are available
On the server side, however, the process is a lot more janky. I am using java, and I have to copy and paste specific directories over (such as the routes, data types etc) and a lot of the generated code doesn't play nice with my existing application (in terms of imports etc). I am having the same experience with a flask instance that I have.
I know that comparing client to server is apple to oranges, but is there a better way to construct a build architecture so that I don't have to go through this error prone/tedious process every time? Any pointers here?
Consider a ClojureScript web application using reagent where the reagent components are subscribed to a single db atom containing a vector of maps. The contents of this vector is different for each user and has to be queried from a mongo database ( which is updated with regular intervals ). The database might be hosted by a third party. Considering that CongoMongo, Karras and Monger are Clojure ( not ClojureScript ) libraries what would be the best way to connect to MongoDB from a single page ClojureScript/React.js using Ajax?
This “answer” is more of a comment but here goes.
If you don't absolutely need a Clojure backend, I'd recommend having a ClojureScript-only single-page app without any Clojure wrapper to Mongo (so no need for Sente either). As Timothy Baldridge (of Cognitect, so he knows a thing or two about this 😛) pointed out, your ClojureScript app can just make HTTP REST requests to the database.
cljs-http is a ClojureScript project that uses Clojure's core.async library to make HTTP requests and is perfect for interacting with REST APIs if you know or can learn core.async.
A more conventional (i.e., callbacks) approach, but still very ClojureScript-friendly, is to use Google Closure's goog.net.XhrIo library. I have an example here of connecting to a public REST API using XhrIo and re-frame (built on top of reagent, and highly recommended) that may help show how to get started.
Using either of these ClojureScript/JS libs, you can make requests directly from the ClojureScript browser app to the database, get replies, parse the JSON with (js->clj (js/JSON.parse json-string)) or with transit-cljs, and do something with the result.
Since Mongo has a fairly simple REST interface (https://docs.mongodb.org/ecosystem/tools/http-interfaces/#simple-rest-api), I'd be tempted to just write my own CLJS code that calls the Mongo server. Depends on your security requirements. But writing the CLJS code would be no different than any other remote request. Just a bit of string concatenation and parameter serialization.
You could use sente to get communication going between the Reagent application and your web server. This SO answer references an example client/server application that consists of a web server with browser access, giving you some buttons to press that return information from the server. It is not Reagent - but you can substitute what they use. It is a starting point example that works out of the box.
Then build up the example's web server so that it communicates with the three Clojure libraries rather than just returning static text as it does.
I have a simple database application in mind and I am thinking of making it browser-accessible instead of creating a standalone one.
I almost finished creating the DB schema in a PostgreSQL Server and I will now start developing. My first idea was using PHP or Ruby On Rails to manage the backend logic and interfacing with the DB, but since this application is fairly simple I think that I can easily implement all business and data manipulation logic with JavaScript or with the DB triggers.
So I am now wondering: is there a way to directly send the queries to a PostgreSQL Server, without server-side scripting?
More generally: can a PostgreSQL(9.3) Server receive the queries in Http requests and provide the results in Http responses?
I know this might sound stupid, and I am not looking for answers like "Use JS for presentation, PHP for logic and DB for data storage". I believe this is a lightweight solution for a very simple application, so I want to try it if possible!
Yes, That is possible.
What you can do is to send it via REST API. (post, get request ).
Here are some reference for you:
https://github.com/begriffs/postgrest
https://github.com/pgrest/pgrest
Please take a look at this for more HTTP API
[update!]
This idea is currently not possible (as I tought when I answered you before).
I tought it was possible after checking this node-postgres library written in javascript but it uses Node.js specific functions not present in the web browser as stated by the library's creator himself and this answer at stack overflow.
There is this package called browserify that exports a Node.js javascript file into a browser front-end ready javascript file. The problem with node-postgres + browserify is that it throw some errors during the browserification process, precisely when it tries to access libpq (an API written in C for accessing PostgreSQL).
I'm sorry I have mistaken you
Yet I still have a suggestion for you. You can try CouchDB if you really want to build a backendless/serverless application. It is natively RESTful, handles authentication and authorization at some extent, is opensource but unfortunately: NoSQL. It processes queries based on Map/Reduce paradigm and Mango query language so it's an entire different world for you to discover if you are used with SQL.
[old answer, I'm leaving it here for learning purposes]
Have you considered using a PostgreSQL driver for JavaScript? It is not RESTful, but it can connect to PostgreSQL and query it!
The library is called node-postgres and you can download it via npm
https://www.npmjs.com/package/pg
Just don't forget to enable SSL connection in the PostgreSQL server and in the client to avoid man-in-the-middle attacks.
An here's a tip: if you need an ACL for allowing or denying selects or inserts for specific users you can manage that through PostgreSQL user management and privileges. PostgreSQL has row level security, allowing you to define which rows in a table can be selected updated and deleted for a given set of users or groups.
I'm using delphi at the moment and have a program that connects to another program (a server) which has the mysql database on it and sends the data back to the client. I have a web server that has the server program and the database but my question is can I just go straight from the client program I have made (windows and future mac) to the mysql database on the web server? Or do I really need the server program? If so, what do I need to do to connect my client program to the MySQL database over the internet?
You should be able to access the mysql database directly as long as you've created a user/pw combo for the database that allows remote access (Security discussion aside). You'll then want to search for a compatible mysql library that would ease the communication between your program and mysql. At the far technical end you might have to read/write directly to the mysql socket but that's possible as well.
Depends on whether your client programs will continue to be native applications or whether you plan to migrate to browser based clients.
If they're native applications you can obtain library components for the languages they're written in which will be able to communicate directly with the MySQL database. There are plenty of options for Delphi; I'm not familiar with what options might be available for native Mac development (but, of course, Embarcadero is in the process of rolling out a Delphi that can generate Mac applications).
If, however, you're planning on making your clients browser-based, ajax solutions want to talk to a web server rather than a database server. In that case, you will need to maintain your middleware. For a discussion of whether it's possible or desirable to have a browser based application communicate directly with a database server see this question.
I would use SOAP/XML for this, and leave the SQL out of the client entirely.
This is a typical use case where REST (for example using JSON encoded database records) can be helpful. It is easy to implement a Delphi client using lkJSON or SuperObject, to put the database records from the HTTP response into a TClientDataSet.
Yes, it's possible, but is it a good idea?
here's a basic discussion of 2 tier v 3 tier architecture
Without reinventing the wheel, what I can use to manage user sessions in a web application and being able to respond with JSON to ajax requests?
Is there some framework (made for example with Indy components or something like this)?
Note for bounty:
in practice it is enough for me to have a reply with a clear example of a server application that serves json. Somehow a Delphi example of the php example mentioned HERE. (without the DB part, I want to see the basics of what does it mean to send JSON. I have basic knowledge of TIdHTTPServer.)
You can take a look at our Synopse SQLite3 Framework, which was just updated to version 1.11.
It serves the data in pure JSON, ready to be used in any AJAX application.
You can also easily create Services, more precisely Client-Server JSON RESTful Services. In this case, you can even not use SQLite3 for your data storage.
This framework is pure Open Source, compiles/run/is tested for Delphi 6 up to XE, is Unicode ready for all versions of Delphi (it uses UTF-8 internally).
By using this framework, you could be able to create easily also Delphi clients, using JSON data from the same server.
There is no internal User session handling yet. Because there are several way of implementing them, and, since our framework is RESTful, it's therefore stateless: no session is needed.
If you need it, I could easily add HTTP sessions using Cookies. What about the User authentication you are expecting?
Maybe this can help you:
REST Servers in Delphi XE Using DataSnap Whitepaper
Learn how to build REST servers using features available in Delphi XE, how to extend them with extra Delphi support code and how to take advantage of the jQuery library.
Marco Cantù
http://app.en25.com/e/er.aspx?s=608&lid=4414&elq=d428643420d2494581299418d9753feb
DelphiMVCFramework does this
Some notable features:
RESTful (RMM Level 3) compliant
Can be used in load balanced environment using Redis (http://Redis.io) [dev]
Fancy URL with parameter mappings
Specialied renders to generate text, html, JSON
Powerful mapper to map json to objects and datasets to objects
Can be packaged as stand alone server, apache module (XE6, XE7, XE8) and
ISAPI dll
Integrated RESTClient Works with XE3, XE4, XE5, XE6, XE7
and XE8 Completely unit tested
There is a sample for each functionlities
There is a complete set of trainings about it, but the
samples are included in the project Experimental support for IOCP
[dev]
Server side generated pages using eLua (Embedded Lua) [removed soon]
Specific trainings are available (ask me for a date and a place)
Messaging extension using STOMP (beta)
Community driven (Facebook group https://www.facebook.com/groups/delphimvcframework)
Simple and documented
There are books that talk about the framework
Project web site: https://github.com/danieleteti/delphimvcframework
N.B. I'm the main developer
I would suggest Delphi on Rails, it is an open source REST/MVC/StateLess web framework.
http://code.google.com/p/delphionrails/
It use:
superobject JSON parser
UIB/Firebird JSON driver
Cairo for SVG, PDF, PNG rendering
LUA for scripting/template ...
It is able to serialize automatically Delphi data structures to JSON using the new RTTI introduced in Delphi 2010 & XE.
I would recommend Super Object Toolkit.
http://www.progdigy.com
Example Code:
procedure Share(ARequestInfo: TIdHTTPRequestInfo)
var
ReturnObject: ISuperObject;
begin
ReturnObject := SO();
ReturnObject.B['success'] := false;
AResponseInfo.ContentType := 'application/json';
AResponseInfo.ContentText := ReturnObject.AsJSon();
end;
Daraja HTTP Framework, which uses Indy internally and adds a high level API for "web application contexts" and request mappings, loosely inspired by the Servlet API.
If you already have experience with TIdHTTPServer, you can directly access and adjust the server component according to your needs.
For JSON, you may use the built-in JSON support in newer Delphi versions or a third-party library (e.g. JsonDataObjects).
Disclaimer: I am the developer of the framework