Security in databases

carlosgalvarez · June 2, 2018, 11:12pm

Lets say I have a database where anyone can read . In my front end code I set it up to display only one record after the user gives me some information.

Database has email as ID and a bunch of information. I ask the user for their email and make a query to display only the information on their record.

If my database can be acceed by anyone that means that someone with developer tools / coding knowldge can bypass my code and aceess all the records in the database?

yisrael-wix · June 3, 2018, 6:40am

Hi Carlos,

Take a look at the article About Collection Permissions . Just use the permission setting that best suits your needs.

You also have the option of “locking down” your database and doing your queries in the backend. In backend code you can use the suppressAuth option for retrieving and saving to the database. See the WixDataOptions API for more details.

I hope this helps,

Yisrael

carlosgalvarez · June 3, 2018, 9:33pm

Thanks! I’m going to do the query on the backend using suppressAuth. I want to do a query based on an input field then add values to other fields. What do I have to write on the back end and how to connect it to the page code?

yisrael-wix · June 4, 2018, 6:00am

See the article Calling Server-side Code from the Front-end with Web Modules for information on backend coding. In the .jsw (web module) file, write queries just as you would in the page code. You’ll just need to include the import of the wix-data API at the beginning of the file:

import wixData from 'wix-data';

You now call the backend (web module) functions from your page code as described in the article (and as shown in comments in the .jsw file when it’s created. Since the queries are in the backend, you can then use suppressAuth to access a “locked down” database collection.

carlosgalvarez · June 8, 2018, 8:37pm

This is what I have, the backend function is receiving the data but it is not performing the query. I am not getting any error or object. For now I am not using supressAuth.

If I try that code in the frontend it works.

Frontend

import {email} from 'backend/email.jsw';
export function click (event) {
email(
         $w("#input1").value)
         .then(function() {
            console.log("sent");
        }
     )
  ;}

Backend

import wixData from 'wix-data';

export function email (data1) {

let userEmail = data1

    console.log(userEmail);                      //Console log sucesfull 

    wixData.get("Profile", userEmail )
        .then((results) => {
 let item = results; 

            console.log(item);                  //Nothing happens
        })
        .catch((err) => {
 let errorMsg = err;
            console.log(errorMsg);             //Nothing happens
        });

}

_or · June 12, 2018, 1:37pm

Hi,
The get function returns a Promise that resolves to the item with ID itemId , you need to set the ID as the parameter instead of the email. You can also use wixData.query to get an item by its email field.

Good luck

Topic		Replies	Views
wixData.query is only working on front end, not on backend Ask the community code , question	1	588	November 24, 2017
Do I have to change DB permissions? Ask the community code , question	2	108	April 15, 2022
Database Security / Preventing a Hack & Securing Customer API keys Ask the community code , wix-stores , wix-members-area	2	86	August 8, 2023
Is it secure to run database functions in frontend? Ask the community	2	309	July 5, 2021
Security Issue Ask the community code , question	7	263	January 21, 2019

Security in databases

Related topics