[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: JS and DataBase
On Mon, 4 Mar 1996, Brian Karlak wrote:
> On Mar 4, 7:11am, Richard Bullington wrote:
>
> > [bad things will happen]
> > if someone reverse engineers your code and gets it to do
> > arbitrary queries. Because everyone can look at JavaScript code, this
> > reverse engineering is trivial.
>
> On this point: it seems to me that JavaScripts can be hidden within a frame,
> since "View Source" only works for the top-level window. Has anyone else found
> a way to view JS/HTML source within a frame?
This is easy - just note the URL of the frame body, and pop it directly
into the 'Location' bar. You can easily view the HTML/JavaScript in a
frame this way.
> It makes more sense to pass several
> key/value pairs across to the CGI which get changed by the CGI into a real
> command.
>
> document.location.href =
> cgi-bin/bogusDbCgi?action=SELECT&Db=YourMamma&weight=350
>
> bogusDbCgi would then check to see if all the actions, DBs, and whatnot were
> kosher, and then send off a precanned SQL query. The CGI source isn't viewable
> at all, either, so hacking is much harder . . .
This is key. You must validate user input to databases with a program you
can trust. JavaScript programs do not fit this category well.
-Richard
--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/