tags:

views:

267

answers:

5
+1  Q: 

Best Practices for Sanitizing SQL inputs Using JavaScript?

So, with HTML5 giving us local SQL databases on the client side, if you want to write a select or insert, you no longer have the ability to sanitize third party input by saying $buddski = mysql_real_escape_string($tuddski) because the PHP parser and MySQL bridge are far away. It's a whole new world of SQLite where you compose your queries and parse your results with JavaScript.

But while you may not have your whole site's database go down, the user who gets his/her database corrupted or wiped due to a malicious injection attack is going to be rather upset.

So, what's the best way, in pure JavaScript, to escape/sanitize your inputs so they will not wreak havoc with your user's built-in database?

Scriptlets? specifications? Anyone?

+2  A: 

I'm not sure about HTML5 and local databases, but on server-side it's better to use prepared statements rather than escaping. I believe it's the same with databases on client-side.

binaryLV  2010-04-30 08:11:44
+3  A: 

Once you entrust the computation entirely to the client, the game is over. Even if your scripts are bulletproof, the user can still load their own scripts locally (for a benign example, see GreaseMonkey) - and access the clientside db on their own, bypassing your scripts.

In my opinion, the only useful application of a client-side database with an untrusted client (which is to say, almost any client) is mirroring/caching parts of the main, serverside db - so that the client doesn't have to pull data over the network on repeated requests (If such clientside db gets corrupted, just invalidate it and load the data from the server again).

Piskvor  2010-04-30 08:48:53
Although you points may be true (and are in my case) it does change the fact that input must be sanitized "so they will not wreak havoc with your user's built-in database?" users can input data that breaks code even when not trying to. Server side coders can also do this. chris's answer seemed to cover the point and have a good reference. RichB's may also be god answer but what not what I needed.
Grant M  2010-09-13 08:05:31
@Grant M: It indeed does matter - although prepared statements are your best hope, you don't have any guarantees that whatever is accessing your client-side DB is actually using your prepared statements.
Piskvor  2010-09-13 08:23:12
A: 

i think, Even if you sanitize your inputs on your javascript that will leave your system vulnerable to attacks. Also it would be redundant if you place an input sanitizer at your javascript and place another one on your php file.

Jrubins  2010-04-30 08:56:57
A: 

Use Google's JavaScript Html Sanitizer available as part of the Caja distribution at: http://code.google.com/p/google-caja/

This library can be used both client-side and server-side. I use it server-side in a classic ASP project running the library under the ASP JScript host.

RichB  2010-04-30 10:31:48
+1  A: 

Use prepared statements.

http://dev.w3.org/html5/webdatabase/#sql-injection

chris  2010-05-02 01:10:28

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL