I am developing a small application that is going to serve as viewer (sort of dashboard) for a web application that uses MySQL as back end database. The application will only be doing SELECT’s, no INSERT’s or UPDATE’s or anything that changes the data. I know that the preferred way to architect this application would be to create a web service that has access to the database and then have the client app call the web service. This way you can really secure you MySQL database allowing only localhost access.
On the other hand, having a web service raises the complexity and resources needed for the application a lot. I not only have to write the process twice, I have to write two sets of test suites plus integration tests, and since the client is written in .net c# and the back end in php I have to develop some kind of interchange format and keep switching between two languages and IDEs throughout the development process.
I am probably going to write the service, but what I wanted to know is what the experience out there has been? Am I crazy just to consider accessing MySQL directly from a client or the fine engineers at Oracle have done a decent job securing their database, at least for users with only read rights.
If you use direct access to your mysql database just to select tables, you will need users that only have the right permission access to ensure the access security.
But you need to keep in mind that if you open the database port for external access, any security failure from your database will be exposed.
If you need other rules for example an specificity select that only select the group access from an user, you will need to write procedures in your database that read parans, and keep in mind that if some user exploit your application, he will be able to pass other parans for consulting your database.
No only oracle or mysql, all databases have lot of security options to give external access, but to use for complex applications is even more difficult than make a service layer to ensure the security access.
And you don't have crypt communication in the direct SQL query consulting as default.
Just make sure the user it accsesses the database from doesn't have permission to do anything it doesn't need to do such as drop tables.
a user with read only rights should do the trick