Why is it a bad practice to connect a SQL database from javascript?

Question

According to this question looks that connect a SQL database from javascript is strongly recommended against and has security issues.

Could you please specify what exactly is problematic and why?

Answer 1

delete all_users

No, for real! Do you really want to allow anyone to access your database and edit it as they like? There is no way to secure access in any way if you just give anyone access!

Your username and password will be exposed so everyone can alter your database. Javascript is not safe for saving passwords!

Answer 2

Lets honestly break this down here..

So you have an application that requires data. That data needs to come from somewhere. You can get that data from an SQL database.

Now while SQL has permission based access etc, to properly secure something that is literally "open to the wild" you would have to lock it down pretty hardcore. This is not particularly easy with SQL (compared to other technologies) and can leave you open to a few things.

An SQL server is designed to be in a closed environment where only the server-side code will communicate with it. To get data from it you need a username/password. So this would have to be stored client-side. So you can now get your data. And you only get the data you need. But what is stopping any real-world user trying to get more. Well unless you locked down every table and every stored proc and all the other stuff - nothing. Also, what is stopping the user just leaching the entire database? From what I know about SQL you can't limit a user at getting a certain number of rows.

What a proxy service - or web service, or any kind of front end service designed to be used by the public does is provide some way for you to filter or set limits on what can be accessed. If your application only requires certain data, then the service will only ever provide that data. The call is fixed - getUserProfile(). The server already knows the current user so it will only get that user's details. If there were a getUserProfile(65), how would you really know if user '65' was actually the one requesting it?

SQL doesn't understand the complexities of cookies or session variables, it just says 'hey, there's a valid username and password, give them all the things they have access to!' It is not designed to only return one row based on the user.

So to summarise, you cant control how much data a user can access so you use a web service that understands what the user should be seeing, and only provide that information.

...And this is just reading from the database - writing is a whole new level of pain and suffering.

TL;DR This is a bad idea