Hi! I have a web application (PHP) who needs to read datas in a SQL server database. What's the safest way to do that. We were thinking about using views but would it be really secure or we need to do more? Thanks!
Welcome.
Will this be a Microsoft SQL Server?
Views are neither more secure or less secure than querying tables directly. The real security issues won't be related to whether or not you are using views.
The real security issues are going to be related to how those queries are built and executed in PHP. If the queries are concatenated strings - then you will be wide-open for SQL injection type attacks. If all of your code is built to use parameterized queries - then you reduce that risk.
Ideally - you wouldn't use direct access to tables or views, and instead create stored procedures. And those stored procedures would not utilize any type of dynamic SQL where passed in values from the client are directly concatenated into a string that is then executed (same issue - open to SQL injection).
1 Like