Closed. This question is opinion-based . It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post .
Closed 12 days ago.
Improve this question
My company make Point Of Sell and Accounting systems. each client (being a restaurant or supermarket) have a server machine on the local network, that have MS SQL, so all cashiers applications connects to it. However when we migrated to Flutter, it is difficult to connect to MS SQL server (especially on the web platform). And when I read about it, it always about that this is a bad practice and imposes a security issues, and the correct way to do it is using an API. I don't see how that would be a bad solution for my problem, and making an API would just complicate a lot of things. So I have two Questions:
- Is it still a bad practice in my situations, if so, is an API the only best solution?
- If it's fine to do it that way, how do I connect to MS SQL server using flutter in the web platform.
For Android platform in flutter, I did use this package. and it works fine, however I was not able to find such package that supports web.
1条答案
按热度按时间frebpwbc1#
Is it still a bad practice in my situations, if so, is an API the only best solution ?.
An API is definitely a safer way to go. SQL gives a lot of power to the end user to delete things, or steal all the data. For that reason I'd consider this approach bad practice.
There are ways to mitigate the issues that come up but it requires being a SQL expert. For instance you can use sql to control individual user permissions e.g
grant execute on table1 to user blah
or you could write sql functions to limit what sql the users can run. This can prevent them deleting all the records.However some things are more tricky, like denial of service, or running a painfully slow query on some unindexed field causing it to hang. Or locking a record for editing forever. These gottchas are what make it bad practice.
You can use certificate based logins and things, but all in all, the easiest way to secure the system is to tighten access to the network. Use a separate wired network with VLAN separation and ensure it's not easy for someone to plug a cable into an unsecured access point.
Whether I'd rewrite it to use an API or buy something better off the shelf depends on quite how big this product is.