How 'serious a website' can you build on Wappler?

So, I’m new here. My friends have been going to every length to make sure I switch to wappler. Everything looks and feels alright. Im familiar with all the extensions since I am a dreamweaver buff.

Now my question is, is wappler for mom and pop store websites? Can you really build a powerful global real cash application on wappler? Why does database query limit max at 1000?

How far can you throttle with wappler? With the source code to the functions powering your website visible on your page in “View Source” how can anyone be sure wappler sites are safe?

I could go on with my questions, you have an idea.

Hi @Citizens9 and welcome to Wappler community!

You can go as far as your imagination goes
You can build complex back-end systems for any need - custom Content Management Systems, User Management, Appointments, Events etc. as well as the front-end for them.

You can check the real-life user examples in the Showcase Section to get an idea of what our users are creating with Wappler.
Maybe some of the @wappler_ambassadors can also explain what else did they build

As for the database connection - the queries are not limited, you can show as many records as you like.

Also - all the server-side stuff is being executed on the server, so no code is exposed anywhere on the front end and nothing can be seen/done in “View Source”. With “View Source” you only see the HTML and the binding names nothing unusual and nothing to worry about, as your server actions are secured on the server.

Where is a DB query Limit @ 1000?

Create database query source. On Dreamweaver extensions. Limit is set to 1000.

Thanks a lot. Loving this already.

That is in DW extension only (using an older version of database connector there than in Wappler) and actually it’s just we forgot to remove the limit input from there.

Yes you can. If you have the foresight and planning, and an understanding of dynamic data and database basics. If you enter in to Wappler with these fundamentals you can create whatever you require including very powerful applications. It will be your skill as a Developer that dictates how far you can extend the capabilities of Wappler.

This is the same for any website pretty much (especially Wordpress, Joomla, and off the shielf mainstream CMS platforms)… If someone wants in they will generally find a way. Usually through the back-end by exploiting unpatched vulnerabilities on the server for example. Wappler can not protect against such a threat. That is really down to the host or developer to safeguard and audit respectfully. Saying that we have used DMX and Wappler codebases on multiple projects on various platforms, and to our knowledge the codebase has not been exploited. Where as we have seen many Wordpress deployments exploited in the same environments. Just maintain everything, update all libraries, audit your code (check time-stamps and server logs, set up correct permissions for your back-end, be sensible, be on top, and take responsibility).

My two cents

if HTML + JS + PHP can build it
then wappler can. there is no fixed limit on anything by wappler

All of the above but with one priviso that I think should be coming soon - server-side API integration
then the sky isn’t even your limit

@Teodor I checked the source on some showcases, and my own app and found that all the server connect components with their URL & GET parameters are exposed in the source. Isn’t that something to be concerned about?

Applying server side security as given in below tutorial does help, but is that enough?

For actions which already print the results on your page, that is not an issue. You can already see the same results on a page that is public…
Of course in your admin part you should take care of protecting your data, but that is valid for any kind of website - build with or without Wappler.

For the admin part, I do have security restrict in place and it works well. But, does having the names exposed pose a threat to abuse of API?
Before Wappler, I have used ajax for API calls, and URLs are exposed there too, but they are not as easily visible in a series of lines as here.

Also, could you please suggest any more general measures for protecting the API & data, besides security restrict action?

Not really - the server action only returns the data you are using on the page… all you can see is a json file with the data you see on your page.

That’s pretty much enough for the server action which require to be protected.

@nshkrsh just for your info - even the web apps of big companies like DHL are using the same API calls, which are clearly accessible in the console:

Screenshot_3.jpg1171×1147 201 KB

This is true. But as you had written earlier, for public pages, this is not an issue.
My main concern was for the admin pages, for which security restrict seem to work great!

web apps made using wappler is secure. when you use it correctly and i have tested a website with netsparker and no vulnerabilities where found

Thats great to hear! I am a bit less worried now.

Do you have any particular suggestion regarding securing Wappler apps, besides the security restrict action?

As serious as a heart attack.

… unless your query includes data which you are not displaying on the page.

Something which may not be obvious to people starting with Wappler is that whatever data is included in the query is easily accessible - whether or not it’s displayed on the page. Eg if someone chooses the default asterisk/all fields, that could be a security issue (eg if your products table includes your cost prices). I’m referring to pages which are publically accessible, not backend pages which can be protected of course. (Or am I wrong, and there is a way to prevent access to this data?)

Well, we already discussed this a few times, but again - this is not Wappler related. That’s something valid for all the tools out there from hand coding PHP to any tool you can think of.

That’s basics of designing your data structures.
There is no logical reason to include data which you don’t want to show on the page, in your query…

That’s why the query builder allows you to select only the database fields you need to use on the page.