I have a table in my DB from which I have to fetch some data at regular intervals based on some parameters. What I was thinking was to make an API which fetches me the data from the server (POST request on https). This is done in an authenticated manner using an authentication token. While discussing the same, someone suggested that a particular person should be given DB access and then he makes direct connection with the DB using SQL or something. His argument, to directly access the DB, was if someone manipulated the data in API while accessing, we might be getting wrong results. So, while making direct DB connection, until and unless his config file is exposed, everything is secure. No one can manipulate anything.
I am not convinced with this idea. I think directly accessing the DB exposes the whole DB which is a very big threat in itself. Also, if it was such a big threat that people could change data in APIs, why would everyone be using it. I an not clear on how the whole thing works!
So, what I want to understand here is, whenever we make an API call which uses auth_token to authenticate itself, is it still a threat, that someone might be able to capture data in between? Can someone still see what data I am sending in my request?
I don't exactly understand these things and just need some help. Maybe the right articles which help me understand what data gets exposed and what does not. Kindly help. Thanks!
