|
The point you raise is valid, though again you're also talking here in this brief article example code meant to showcase a principle, not protect against intrusion.
In a more complete working implementation, security actually happens at a number of levels:
1) Authentication - you can create and maintain authenticated sessions with something like eXist (and most XML databases that I'm aware of.
2) XML validation - I've shown above the very simple example of query string parameters being passed, but realistically, XQuery really begins to come into its own once you start combining it with an XML generator (such as XForms) on the client. As you can validate such content, this holds a great deal of promise in reducing or even eliminating many types of client/server loopholes.
3) Modularization (Web Services) - simply put, you declare XQuery functions and do your processing there, possibly with proxies to process incoming requests and filter out potentially bad ones. I'll get into that in a subsequent article.
There are other techniques you can use too, but in general, most of the assumptions about security with SQL databases also carry over into XML ones.
|
Previous Message
Up
