[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JS and DataBase

To: javascript@obscure.org
Subject: Re: JS and DataBase
From: Richard Bullington <rbulling@obscure.org>
Date: Mon, 4 Mar 1996 07:11:43 -0500 (EST)
In-reply-to: <Pine.SOL.3.91.960303094644.9853A-100000@future>
Reply-to: javascript@obscure.org
Sender: owner-javascript@obscure.org

On Sun, 3 Mar 1996, Don Moore wrote:

> I would also be interested in seeing this code seeing how I have an order 
> entry system setup that uses some javascript but wouldn't mind accessing 
> pricing information, taxes and such dynamicly from the database.  Dynamic 
> HTML :>
> On Sun, 3 Mar 1996, Ellie wysiwyg wrote:
> > At 08:08 AM 3/3/96 -0500, Ed wrote:
> > >I use JS to talk to my DB all the time.  JS is well suited to writing a 
> > >SQL query[...]
> > 
> > Could you post a sample code ?
> > 
> > I'm sure many will be interested. (I know I am...)

Remember that although you can use a language for a given task, does not 
mean you should use it.

All of these examples rely on JavaScript generating the SQL text that a CGI
(or equivalent) program on the server side executes. Taking a fully-formed
SQL query from a client-side program and executing it against a real database
could be disastrous, if someone reverse engineers your code and gets it to do
arbitrary queries. Because everyone can look at JavaScript code, this 
reverse engineering is trivial.

Consider what might happen if someone modified your JavaScript code to send a
'drop table customers' query instead of a 'select name, address from
customers' query.

The only way to use JavaScript with a database is to call some CGI 
program on the back end to perform the database processing. There is no 
other form of client-side JavaScript IPC but form submission, so you are 
limited to doing things like field validation with JavaScript. 

Even field validation cannot be considered secure, because it is trivial to
modify the JavaScript to get it to submit bogus values

Richard Bullington
JavaScript List Administrator

--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/

Follow-Ups:
- Re: JS and DataBase
  - From: chris@monica.papyrus.com (Chris Moses)

References:
- Re: JS and DataBase
  - From: Don Moore <moore@futureone.com>

Prev by Date: The simplest java script (dosen't work)
Next by Date: Re: Indexing/Searching Web Pages
Previous by thread: Re: JS and DataBase
Next by thread: Re: JS and DataBase
Index(es):
- Date
- Thread