ADOxtra for Macromedia Shockwave Multiuser Server

Security Issues with ADOxtra_MUS

Database driven MUS application usually relies on correct information stored in the database. Good application should protect itself from putting incorrect data into the database. Application's developer usually makes (should make) every afford to be sure the data is correct, but what if someone get known how to connect to your MUS and which DataSources and Queries you are using (let us say the sources of the client movie are available). Then more freedom you give to the client movie, more likely the data could be destroyed.

Actually, there are two common structure of the databasing application. The first one usually called client-server type of application, where almost all program logic is encoded in the client side and server is used only for storing data and communication. ADOxtra fully supports this type of applications by allowing passing data directly to client. So, if client knows how to connect to the server and which Query objects are available, then it knows enough to use database. You may limit client capabilities by using only predefined parameterized queries. This could guarantee, that client cannot destroy the data or make it totally incorrect. This is a moderate security mode. It is suitable for most cases when similar data in database has similar level of access.

If you have defined a Query object which allows client movies to apply any SQL, then this is unsecured mode. It is usually not recommended, although it could be useful for authoring.

The most of security you may get by using three-tier logical structure of the application. Limit all DataSources to server only access, so they will not be available for clients at all. Make your client to call server side Lingo handlers, which will decide whether to allow passing data or not. This approach is quite effective, since all data processing logic is implemented within a single logical module.