views:

267

answers:

5

So, with HTML5 giving us local SQL databases on the client side, if you want to write a select or insert, you no longer have the ability to sanitize third party input by saying $buddski = mysql_real_escape_string($tuddski) because the PHP parser and MySQL bridge are far away. It's a whole new world of SQLite where you compose your queries and parse your results with JavaScript.

But while you may not have your whole site's database go down, the user who gets his/her database corrupted or wiped due to a malicious injection attack is going to be rather upset.

So, what's the best way, in pure JavaScript, to escape/sanitize your inputs so they will not wreak havoc with your user's built-in database?

Scriptlets? specifications? Anyone?

+2  A: 

I'm not sure about HTML5 and local databases, but on server-side it's better to use prepared statements rather than escaping. I believe it's the same with databases on client-side.

binaryLV
+3  A: 

Once you entrust the computation entirely to the client, the game is over. Even if your scripts are bulletproof, the user can still load their own scripts locally (for a benign example, see GreaseMonkey) - and access the clientside db on their own, bypassing your scripts.

In my opinion, the only useful application of a client-side database with an untrusted client (which is to say, almost any client) is mirroring/caching parts of the main, serverside db - so that the client doesn't have to pull data over the network on repeated requests (If such clientside db gets corrupted, just invalidate it and load the data from the server again).

Piskvor
Although you points may be true (and are in my case) it does change the fact that input must be sanitized "so they will not wreak havoc with your user's built-in database?" users can input data that breaks code even when not trying to. Server side coders can also do this. chris's answer seemed to cover the point and have a good reference. RichB's may also be god answer but what not what I needed.
Grant M
@Grant M: It indeed does matter - although prepared statements are your best hope, you don't have any guarantees that whatever is accessing your client-side DB is actually using your prepared statements.
Piskvor
A: 

i think, Even if you sanitize your inputs on your javascript that will leave your system vulnerable to attacks. Also it would be redundant if you place an input sanitizer at your javascript and place another one on your php file.

Jrubins
A: 

Use Google's JavaScript Html Sanitizer available as part of the Caja distribution at: http://code.google.com/p/google-caja/

This library can be used both client-side and server-side. I use it server-side in a classic ASP project running the library under the ASP JScript host.

RichB
+1  A: 

Use prepared statements.

http://dev.w3.org/html5/webdatabase/#sql-injection

chris