[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JS and DataBase



-- [ From: Glen Caretta * EMC.Ver #2.5.02 ] --

 All you need to do is look at the SRC="" statements in the top level frame
HTML, then type in the URL's directly to see the code for each frame's page.
For example:

<FRAMESET COLS="150,*">  
        <FRAME 
                NAME="frame1" 
                src="content.htm">
</FRAMESET> 

Then just enter the url for "content.htm" and you're there.

Glen Caretta
PC Systems Consulting
http://www.frontiernet.net/~gcaretta
-------- REPLY, Original message follows --------

Date: Monday, 04-Mar-96 09:59 AM

From: Brian Karlak             \ Internet:    (bkarlak@panbio.com) To:  
javascript@obscure.org   \ Internet:    (javascript@obscure.org)

Subject: Re: JS and DataBase

On Mar 4,  7:11am, Richard Bullington wrote:

> All of these examples rely on JavaScript generating the SQL text that a
CGI
> (or equivalent) program on the server side executes. Taking a fully-formed
> SQL query from a client-side program and executing it against a real
database
> could be disastrous, if someone reverse engineers your code and gets it to
do
> arbitrary queries. Because everyone can look at JavaScript code, this
> reverse engineering is trivial.

On this point: it seems to me that JavaScripts can be hidden within a frame,
since "View Source" only works for the top-level window.  Has anyone else
found a way to view JS/HTML source within a frame?

> Consider what might happen if someone modified your JavaScript code to
send a
> 'drop table customers' query instead of a 'select name, address from
> customers' query.

Well, you wouldn't want to set it up so that the CGI executed a fully-formed
SQL query that was generated by JS.  It makes more sense to pass several
key/value pairs across to the CGI which get changed by the CGI into a real
command.

document.location.href = cgi-bin/bogusDbCgi?action=SELECT&Db=
YourMamma&weight=350

bogusDbCgi would then check to see if all the actions, DBs, and whatnot were
kosher, and then send off a precanned SQL query.  The CGI source isn't
viewable at all, either, so hacking is much harder . . .

Brian

-- 
  d a t a b a s e s    a r e   i n   o u r  g e n e s
  ----------------------------------------------------
  Brian Karlak   bkarlak@panbio.com  (510) 337-7910 ph
  Manager, SciApps Group             (510) 522-9394 fx
  ----------------------------------------------------
  P  A  N  G  E  A     S  Y  S  T  E  M  S     I  N  C
--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'. List
archives and pointer to FAQ: http://www.obscure.org/javascript/


-------- REPLY, End of original message --------


--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/