WeWeb and SQL - About security, SQL injection, exposed credentials and threats

renatoasse · January 29, 2024, 2:20pm

Hey there,

I’m recording some lessons on WeWeb’s SQL Integration, and some questions came up about security:

Question 1) My SQL Query is exposed on the console:
UZ6K6w61jCrv6B4I

So, doesn’t it leave me vulnerable to SQL injection and other threats?

Question 2) As the call is being made clientside, could a user have access to my database credentials?

We do know that Clientside API calls always expose all data sent, and that’s why we should always use serverside calls when dealing with sensitive data.
How does that concept apply to SQL connections on WeWeb?

Thanks!

Joyce · January 29, 2024, 3:12pm

Hi @renatoasse

Great questions!

Yes, it does.
Also, yes.

As mentioned in the user docs, the SQL plugin should be used with caution:

We will add a warning in-app to make this crystal clear.

Heifinator · January 29, 2024, 4:19pm

To solve this problem we had to use our backend API to access SQL. We are not using the SQL collections plugin, just the rest API.

renatoasse · January 29, 2024, 5:41pm

@Joyce ,

Understood, thanks!

Topic		Replies	Views
Need toconnect to MySQL Ask us anything design	8	97	February 28, 2024
Trouble connecting to MySQL Ask us anything	1	399	April 27, 2022
{"success":false,"code":"INTERNAL_ERROR"} Ask us anything authentication	3	198	November 9, 2023
WeWeb Platform Security Ask us anything security	6	511	March 18, 2024
Question: What happens if Weweb apps get DDOS attacks? Ask us anything	3	153	September 18, 2023

WeWeb and SQL - About security, SQL injection, exposed credentials and threats

Related Topics