WeWeb and SQL - About security, SQL injection, exposed credentials and threats

Hey there,

I’m recording some lessons on WeWeb’s SQL Integration, and some questions came up about security:

Question 1) My SQL Query is exposed on the console:
UZ6K6w61jCrv6B4I

So, doesn’t it leave me vulnerable to SQL injection and other threats?

Question 2) As the call is being made clientside, could a user have access to my database credentials?

We do know that Clientside API calls always expose all data sent, and that’s why we should always use serverside calls when dealing with sensitive data.
How does that concept apply to SQL connections on WeWeb?

Thanks!

1 Like

Hi @renatoasse :wave:

Great questions!

  1. Yes, it does.

  2. Also, yes.

As mentioned in the user docs, the SQL plugin should be used with caution:

We will add a warning in-app to make this crystal clear.

To solve this problem we had to use our backend API to access SQL. We are not using the SQL collections plugin, just the rest API.

1 Like

@Joyce ,

Understood, thanks!