Should clients have direct access to the database?

Question

Should client applications be coded so that they connect to and retrieve data from the remote SQL database?

Based on my knowledge I would say that is extremely bad practice, and you should have a server application which handles all clients and acts as a central unit for retrieving data - is this right?

Are business information systems ever built without a server application to handle clients?

Answer 1

Depends what's meant by 'client applications'. Internal client applications within a business can often work well by interacting directly with a central database. Of course, certainly make them use read-only credentials unless they explicitly need to write.

An external client application is perhaps another question. If you're distributing, say, an iPhone app I would definitely write an API server to wrap common requests.

The extra layer of abstraction is usually helpful for more than security--consider scalability. What if suddenly you had orders of magnitude more client requests? It's much easier to add caching or other performance enhancements to an API service than to update each client. Much better to build an architecture that can be changed than to tie down to a direct implementation.