Re: JS and DataBase

[chris@monica.papyrus.com (Chris Moses)]

Richard Bullington wrote:

> Remember that although you can use a language for a given task, does not
> mean you should use it.
> 
> All of these examples rely on JavaScript generating the SQL text that a CGI
> (or equivalent) program on the server side executes. Taking a fully-formed
> SQL query from a client-side program and executing it against a real database
> could be disastrous, if someone reverse engineers your code and gets it to do
> arbitrary queries. Because everyone can look at JavaScript code, this
> reverse engineering is trivial.
> 
> Consider what might happen if someone modified your JavaScript code to send a
> 'drop table customers' query instead of a 'select name, address from
> customers' query.
> 
> The only way to use JavaScript with a database is to call some CGI
> program on the back end to perform the database processing. There is no
> other form of client-side JavaScript IPC but form submission, so you are
> limited to doing things like field validation with JavaScript.
> 
> Even field validation cannot be considered secure, because it is trivial to
> modify the JavaScript to get it to submit bogus values

This is a very good point. You will have to give serious thought to 
security if you use this mechanism.

One thing you could do to provide a little additional security is to 
use parameter queries. With a parameter query you simply specify the 
query name and the parameters, not a full SQL string. This limits 
the flexibility but also limits the potential access to the DB
--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/