[MUD-Dev] Database vs. Disk

J C Lawrence claw at kanga.nu
Fri Jun 20 00:22:48 CEST 2003

On Thu, 19 Jun 2003 15:28:00 -0600
Kwon J Ekstrom <justice at softhome.net> wrote:
> corrine_123 at hotmail.com wrote:

>> Besides performance and scalability, isn't security another
>> potential benefit of using a database rather than a file system
>> (if you choose the right database, of course)?

> Security is always an issue to some degree.

Its an apples and oranges problem.

Using an RDBMS brings with it a standard security model for that
application, which is nice, but also brings with it a pre-canned set
of threat vectors for exploits.  These can range from being as
simple as direct attacks on the RDBMS, attacks and attempted
misphrasings of SQL statements by injecting carefully prepared
strings, to attacks (even DoS) on exposed network ports for the
RDBMS, or manipulations of the table space of RDBMS limits for data
items or schema etc.  To handle an RDBMS well you need to know its
behaviour and posture in your application, your system, and your
network(s) -- which is nothing new as you should understand all your
components in those ways -- but it is commonly overlooked.

Using a flat file system, dbm derivative or such doesn't remove all
those problems, instead it removes /many/ of them while adding
others.  The same level of understanding is required with the caveat
that now several of the systems need to be homegrown (eg the
transactional layer), which can bring its own risks.

Performance?  At what?  Scalability?  For what?

Sure, things like Oracle are fast and immensely scalable for the
types of loads they are designed for.  Unhappily for MUDs, game and
world data typically don't fit those load or access patterns -- but
then I've ranted on this before, not that many weeks ago.

J C Lawrence
---------(*)                Satan, oscillate my metallic sonatas.
claw at kanga.nu               He lived as a devil, eh?
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the mud-dev-archive mailing list