I quoted Erel's statement from the tutorial thread.
jRDC2 can work with any database that provides a JDBC driver. All popular databases are supported.
It is much more powerful than the PHP based solution and it has excellent performance.
It is also safer as the SQL commands are set in the server side.
Disclaimer: This is based on my understanding and logic. I could be wrong.
Now let's see your question.
sorry for my ignorance but i hear a lot of people saying using PHP is not safe to connect to a MySQL DB.
and i hear a lot erel saying the best solution is to use jRDC2. so i tried and watched the whole tutorial of him here
I am not sure where you hear a lot of people saying PHP is not safe to connect to MySQL DB. Any system developed by developer (with programming language such as PHP, Python, C#, etc) can be either vulnerable
to hacker or
it is more difficult
for a hacker to do something illegal. If someone develop using PHP in a proper way
, I think it can be secured
i must say that i was surprised that everything worked. so i managed to run the example and it works fine.
One of the benefits of developing with PHP vs B4X (jRDC) is the latter make it more simpler when you want to switch to different database. Let say you have created an application with MySQL, you want to switch the database to MariaDB, MSSQL, PostgresSQL or SQLite. There may be more codes to write or you need to change the function names. For example, you need to use sqlsrv_connect() if you want to connect to MSSQL vs mysql_connect() for MySQL. However, I use PDO when developing with PHP which is more convenient and cleaner. I see in many tutorials or sample projects about PHP, the developers will connect to database in every function in every PHP page without using a class. They are not following DRY (Don't Repeat Yourself).
Regarding the performance, PHP is much depending on other engine like Apache or Redis whereas jRDC itself is the server and application in one. It is also compiled compares to PHP which is interpreted during runtime. Until you get JIT (Just-in-time compilation) which will be available in PHP 8. jRDC is based on a very high performance Java Jetty server. Forget about all the complex plugin and PHP configuration settings in Apache. It is very fast to boot up and kill the process too compare to Apache services.
so now i understand that i need to put the jar file on my server and connect the client to it but why is it safer than other solutions?
The path you store the jar file is not the public accessible. The server has protected it. You can't type in your browser to access the /<root>/home/jrdc/server.jar
Not sure about "other solutions". If you talk about PHP, the index.php and all other php files are stored in the root and can be listed from the File Explorer. Generally, there are no viewable source code inside the root directory tree if we are using jRDC. There are no config.php to store the DB connection string and password inside the root directory that someone can directly view/edit.
i mean the hacker could just search the server for the jar file, download it and extract it and get the config.properties file.
right? or am i wrong?
Yes, you are right. The config file is inside the jar file. If the hacker gain such access, he/she can read the username and password to access your database. In order for the hacker to access the server, he/she has the SSH access to the server. In production, the server administrator or developer should maintain a whitelist or restrict other IP address to harden the security. It is recommended to use VPS compare to shared hosting.
One way I can think of is to store the password in the config file but it is not the actual password to connect to the db. You read the password then use an encryption function to encrypt it to the actual password. The logic for the encryption is compiled in B4X.
The last sentence by Erel meaning that client app only send the request to the server with the command name and optional parameters. This is to prevent SQL injection. Instead of using GET with querystring, jRDC use POST in bytes. In case a hacker is able to sniff and analyze the packet that travel between the client and server, it is at least not in clear text. The bytes need to be serialized using B4XSerializator before it can be read by human. If we use SSL, then it will become more harder for the hacker. In PHP, we write the SQL queries inside php file. It is easier to read what are the tables and fields are used. Unless we store the queries as Stored Procedures inside the database.
i hear a lot erel saying the best solution is to use jRDC2
In many cases, it is recommended to use jRDC2. Some of the reasons are mentioned above. For B4X developers, it is easier to use a single language if he/she is not familiar with another language like PHP. Even for me who know a little about PHP, it maybe troublesome to develop another PHP application and run in Laragon wamp and then switch my mind from PHP syntax to B4X for the client. We are talking about B4X, so we are welcome to ask about this language in this forum. Otherwise you have to visit another PHP forum or search in google and return with a lot of StackOverflow solutions which we are not sure which one might work. We knew that B4X community is much much more friendly here.