So, I’m new here. My friends have been going to every length to make sure I switch to wappler. Everything looks and feels alright. Im familiar with all the extensions since I am a dreamweaver buff.
Now my question is, is wappler for mom and pop store websites? Can you really build a powerful global real cash application on wappler? Why does database query limit max at 1000?
How far can you throttle with wappler? With the source code to the functions powering your website visible on your page in “View Source” how can anyone be sure wappler sites are safe?
I could go on with my questions, you have an idea.
You can go as far as your imagination goes
You can build complex back-end systems for any need - custom Content Management Systems, User Management, Appointments, Events etc. as well as the front-end for them.
You can check the real-life user examples in the Showcase Section to get an idea of what our users are creating with Wappler.
Maybe some of the @wappler_ambassadors can also explain what else did they build
As for the database connection - the queries are not limited, you can show as many records as you like.
Also - all the server-side stuff is being executed on the server, so no code is exposed anywhere on the front end and nothing can be seen/done in “View Source”. With “View Source” you only see the HTML and the binding names nothing unusual and nothing to worry about, as your server actions are secured on the server.
That is in DW extension only (using an older version of database connector there than in Wappler) and actually it's just we forgot to remove the limit input from there.
Yes you can. If you have the foresight and planning, and an understanding of dynamic data and database basics. If you enter in to Wappler with these fundamentals you can create whatever you require including very powerful applications. It will be your skill as a Developer that dictates how far you can extend the capabilities of Wappler.
This is the same for any website pretty much (especially Wordpress, Joomla, and off the shielf mainstream CMS platforms).... If someone wants in they will generally find a way. Usually through the back-end by exploiting unpatched vulnerabilities on the server for example. Wappler can not protect against such a threat. That is really down to the host or developer to safeguard and audit respectfully. Saying that we have used DMX and Wappler codebases on multiple projects on various platforms, and to our knowledge the codebase has not been exploited. Where as we have seen many Wordpress deployments exploited in the same environments. Just maintain everything, update all libraries, audit your code (check time-stamps and server logs, set up correct permissions for your back-end, be sensible, be on top, and take responsibility).
@Teodor I checked the source on some showcases, and my own app and found that all the server connect components with their URL & GET parameters are exposed in the source. Isn't that something to be concerned about?
Applying server side security as given in below tutorial does help, but is that enough?
For actions which already print the results on your page, that is not an issue. You can already see the same results on a page that is public…
Of course in your admin part you should take care of protecting your data, but that is valid for any kind of website - build with or without Wappler.
For the admin part, I do have security restrict in place and it works well. But, does having the names exposed pose a threat to abuse of API?
Before Wappler, I have used ajax for API calls, and URLs are exposed there too, but they are not as easily visible in a series of lines as here.
Also, could you please suggest any more general measures for protecting the API & data, besides security restrict action?
This is true. But as you had written earlier, for public pages, this is not an issue.
My main concern was for the admin pages, for which security restrict seem to work great!
... unless your query includes data which you are not displaying on the page.
Something which may not be obvious to people starting with Wappler is that whatever data is included in the query is easily accessible - whether or not it's displayed on the page. Eg if someone chooses the default asterisk/all fields, that could be a security issue (eg if your products table includes your cost prices). I'm referring to pages which are publically accessible, not backend pages which can be protected of course. (Or am I wrong, and there is a way to prevent access to this data?)
Well, we already discussed this a few times, but again - this is not Wappler related. That’s something valid for all the tools out there from hand coding PHP to any tool you can think of.
That’s basics of designing your data structures.
There is no logical reason to include data which you don’t want to show on the page, in your query…
That’s why the query builder allows you to select only the database fields you need to use on the page.
