Best Practices for Sanitizing SQL inputs Using JavaScript?

≡放荡痞女 提交于 2019-12-22 12:43:28

问题


So, with HTML5 giving us local SQL databases on the client side, if you want to write a select or insert, you no longer have the ability to sanitize third party input by saying $buddski = mysql_real_escape_string($tuddski) because the PHP parser and MySQL bridge are far away. It's a whole new world of SQLite where you compose your queries and parse your results with JavaScript.

But while you may not have your whole site's database go down, the user who gets his/her database corrupted or wiped due to a malicious injection attack is going to be rather upset.

So, what's the best way, in pure JavaScript, to escape/sanitize your inputs so they will not wreak havoc with your user's built-in database?

Scriptlets? specifications? Anyone?


回答1:


Once you entrust the computation entirely to the client, the game is over. Even if your scripts are bulletproof, the user can still load their own scripts locally (for a benign example, see GreaseMonkey) - and access the clientside db on their own, bypassing your scripts.

In my opinion, the only useful application of a client-side database with an untrusted client (which is to say, almost any client) is mirroring/caching parts of the main, serverside db - so that the client doesn't have to pull data over the network on repeated requests (If such clientside db gets corrupted, just invalidate it and load the data from the server again).




回答2:


I'm not sure about HTML5 and local databases, but on server-side it's better to use prepared statements rather than escaping. I believe it's the same with databases on client-side.




回答3:


Use prepared statements.

http://dev.w3.org/html5/webdatabase/#sql-injection




回答4:


i think, Even if you sanitize your inputs on your javascript that will leave your system vulnerable to attacks. Also it would be redundant if you place an input sanitizer at your javascript and place another one on your php file.




回答5:


Use Google's JavaScript Html Sanitizer available as part of the Caja distribution at: http://code.google.com/p/google-caja/

This library can be used both client-side and server-side. I use it server-side in a classic ASP project running the library under the ASP JScript host.



来源:https://stackoverflow.com/questions/2743107/best-practices-for-sanitizing-sql-inputs-using-javascript

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!