[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JS and DataBase

On Mar 4,  7:11am, Richard Bullington wrote:

> All of these examples rely on JavaScript generating the SQL text that a CGI
> (or equivalent) program on the server side executes. Taking a fully-formed
> SQL query from a client-side program and executing it against a real database
> could be disastrous, if someone reverse engineers your code and gets it to do
> arbitrary queries. Because everyone can look at JavaScript code, this
> reverse engineering is trivial.

On this point: it seems to me that JavaScripts can be hidden within a frame,
since "View Source" only works for the top-level window.  Has anyone else found
a way to view JS/HTML source within a frame?

> Consider what might happen if someone modified your JavaScript code to send a
> 'drop table customers' query instead of a 'select name, address from
> customers' query.

Well, you wouldn't want to set it up so that the CGI executed a fully-formed
SQL query that was generated by JS.  It makes more sense to pass several
key/value pairs across to the CGI which get changed by the CGI into a real

document.location.href =

bogusDbCgi would then check to see if all the actions, DBs, and whatnot were
kosher, and then send off a precanned SQL query.  The CGI source isn't viewable
at all, either, so hacking is much harder . . .


  d a t a b a s e s    a r e   i n   o u r  g e n e s
  Brian Karlak   bkarlak@panbio.com  (510) 337-7910 ph
  Manager, SciApps Group             (510) 522-9394 fx
  P  A  N  G  E  A     S  Y  S  T  E  M  S     I  N  C
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/