WeWeb and SQL - About security, SQL injection, exposed credentials and threats

renatoasse · January 29, 2024, 2:20pm

Hey there,

I’m recording some lessons on WeWeb’s SQL Integration, and some questions came up about security:

Question 1) My SQL Query is exposed on the console:
UZ6K6w61jCrv6B4I

So, doesn’t it leave me vulnerable to SQL injection and other threats?

Question 2) As the call is being made clientside, could a user have access to my database credentials?

We do know that Clientside API calls always expose all data sent, and that’s why we should always use serverside calls when dealing with sensitive data.
How does that concept apply to SQL connections on WeWeb?

Thanks!

Joyce · January 29, 2024, 3:12pm

Hi @renatoasse

Great questions!

Yes, it does.
Also, yes.

As mentioned in the user docs, the SQL plugin should be used with caution:

We will add a warning in-app to make this crystal clear.

Heifinator · January 29, 2024, 4:19pm

To solve this problem we had to use our backend API to access SQL. We are not using the SQL collections plugin, just the rest API.

renatoasse · January 29, 2024, 5:41pm

@Joyce ,

Understood, thanks!

Topic		Replies	Views
Need toconnect to MySQL Ask us anything design	8	191	February 28, 2024
How to access to a database self-hosted? Ask us anything	5	328	November 22, 2023
Security Questions Ask us anything	9	1291	May 20, 2022
Postgres Sql IP Range Ask us anything	2	23	September 6, 2024
Where to report security vulnerabilities? Ask us anything security	7	103	October 16, 2024

WeWeb and SQL - About security, SQL injection, exposed credentials and threats

Related topics