[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JS and DataBase



On Mon, 4 Mar 1996, Brian Karlak wrote:

> On Mar 4,  7:11am, Richard Bullington wrote:
> 
> > [bad things will happen]
> > if someone reverse engineers your code and gets it to do
> > arbitrary queries. Because everyone can look at JavaScript code, this
> > reverse engineering is trivial.
> 
> On this point: it seems to me that JavaScripts can be hidden within a frame,
> since "View Source" only works for the top-level window.  Has anyone else found
> a way to view JS/HTML source within a frame?

This is easy - just note the URL of the frame body, and pop it directly 
into the 'Location' bar. You can easily view the HTML/JavaScript in a 
frame this way.

> It makes more sense to pass several
> key/value pairs across to the CGI which get changed by the CGI into a real
> command.
> 
> document.location.href =
> cgi-bin/bogusDbCgi?action=SELECT&Db=YourMamma&weight=350
> 
> bogusDbCgi would then check to see if all the actions, DBs, and whatnot were
> kosher, and then send off a precanned SQL query.  The CGI source isn't viewable
> at all, either, so hacking is much harder . . .

This is key. You must validate user input to databases with a program you 
can trust. JavaScript programs do not fit this category well.

-Richard
--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/