Best Practices for Sanitizing SQL inputs Using JavaScript? - javascript

So, with HTML5 giving us local SQL databases on the client side, if you want to write a select or insert, you no longer have the ability to sanitize third party input by saying $buddski = mysql_real_escape_string($tuddski) because the PHP parser and MySQL bridge are far away. It's a whole new world of SQLite where you compose your queries and parse your results with JavaScript.
But while you may not have your whole site's database go down, the user who gets his/her database corrupted or wiped due to a malicious injection attack is going to be rather upset.
So, what's the best way, in pure JavaScript, to escape/sanitize your inputs so they will not wreak havoc with your user's built-in database?
Scriptlets? specifications? Anyone?

Once you entrust the computation entirely to the client, the game is over. Even if your scripts are bulletproof, the user can still load their own scripts locally (for a benign example, see GreaseMonkey) - and access the clientside db on their own, bypassing your scripts.
In my opinion, the only useful application of a client-side database with an untrusted client (which is to say, almost any client) is mirroring/caching parts of the main, serverside db - so that the client doesn't have to pull data over the network on repeated requests (If such clientside db gets corrupted, just invalidate it and load the data from the server again).

I'm not sure about HTML5 and local databases, but on server-side it's better to use prepared statements rather than escaping. I believe it's the same with databases on client-side.

Use prepared statements.
http://dev.w3.org/html5/webdatabase/#sql-injection

i think, Even if you sanitize your inputs on your javascript that will leave your system vulnerable to attacks. Also it would be redundant if you place an input sanitizer at your javascript and place another one on your php file.

Use Google's JavaScript Html Sanitizer available as part of the Caja distribution at:
http://code.google.com/p/google-caja/
This library can be used both client-side and server-side. I use it server-side in a classic ASP project running the library under the ASP JScript host.

Related

Connecting to SQL Server from javascript properly, quickly

I have a Javascript application that requires two queries to a MS SQL Server database. I need this done as simply and lightly as possible, because this is a high speed application, with data refreshing constantly. I've read that there is only one (improper) way to do it (using ActiveX) directly and only through IE, and I'd rather do it properly with a server side language and have it work in Chrome. I am a Java programmer, but I'd rather avoid starting with connecting to Java if possible. Is there any other framework/server side language that can quickly, easily, and lightly connect to my database? I don't want my users to need to download any software or adjust their browsers, so something that I can just add to the folder with the web pages would be optimal. If you know of a good system, can you include a link to whatever needs downloading, a basic explanation of how to use it - limiting it to exactly what I need to make a basic select query, and why you think this system is the simplest, fastest option?
Thanks!
You might need to write some backend code in Python, NodeJs, C# or Java to create a Web API. Web API is a wrapper around your MS SQL so that you can apply access control and error handling logics.
C# has scaffolding projects for quickly create a Web API, but it's going to use Entity Framework, which has known performance issues.
NodeJs has a package for connecting with MS SQL, but you'll need to write custom code to wire it up with an HTTP server package such as Express JS.
You can't directly query a database using JavaScript. Even if you found an ActiveX workaround, you shouldn't do this. If a web client was able to directly access the filesystem either locally or on the server it would be a security nightmare.
If you want a web based client to a backend database you'll have to use some kind of server side scripting. If you're already familiar with Java then why not use a CGI script written in Java?
Disregard all answers telling you that's impossible. You can do it with javascript (however, it's really not recommended because of security matters) You should not connect to a database directly from the client browser, but if you need/want to do it, you can use ActiveXObject:
var conn = new ActiveXObject("ADODB.Connection"),
cString="Data Source=yourServer;Initial Catalog=yourCatalog;User ID=yourUserId;Password=yourPass>;Provider=SQLOLEDB";
conn.Open(cString);
var rs = new ActiveXObject("ADODB.Recordset");
rs.Open("SELECT * FROM table WHERE id = 1", conn);
rs.MoveFirst
while(!rs.eof)
{
document.write(rs.fields(1));
rs.movenext;
}
rs.close;
conn.close;
In the connection string, replace all words starting with your with your real value.
It is impossible to connect to a MS SQL database via JavaScript in a web browser. You would need back end code on a server to do that for you.

Authentication - key in each ajax

Im writing new app and this time i want to completely separate HTML/JS layer from the PHP layer. Thats because I'll do phonegap version in the future.
I have question about authentication. This time I can't use session variables so i must figure out new way of authentication. Im going to try it this way:
User fills login form and send it via ajax to php file.
Php file checks whether login and password are ok or not, and then create a key-token for that user. Save it on his side (ex. in mysql) and return it to the client side as javascript.
Browser is receiving key-token and save it in session_storage.
Each ajax request is attached by this token and then verified by php.
Is there a hole in that plan?. Maybe there is much easier/better solution. Its inspired by how php session works but with key-token instead of session id. Please help me.
I can't use session variables
What you describe sounds exactly like a session, but you're going to implement itself yourself rather than using the known, tested properties and flexibility of the standard PHP session handler. Hence even if you avoid the inherent design pitfalls, you run the risk of injecting defects in your implementation.
I would strongly urge you to use the standard PHP mechanism (although you might want to consider a more complex save handler, even if it's just enabling the multi-layer function).
Given that what you describe is no different from the PHP handler, then, yes it will work if implemented correctly - is it secure? Not from the information you've provided.
Session storage does offer the possibility of carrying out more secure operations without resorting to SSL (although HTTPS is a must have if security is important) since you can pre-share encryption keys (but the initial key negotiation is highly vulnerable).
OTOH what you describe is vulnerable to sniffing, injection and CSRF.

Is there a way to make a login system in html and javascript or jQuery?

I know how to make the layout but I want to know how to make a login system that saves a username and password without PHP, with Javascript or JQuery.
Ultimately, you cannot enforce the security of code running inside the user's web browser in a way that would be necessary for a meaningful login system. The processing model of the web requires you to process some form of input submitted by the client (e.g. a username and password) against some private logic or data on the server (e.g. a one-way hash of the password in a database). It is also server-side code which needs to know that a user is logged in, and what permissions that grants them.
If you like JS as a language, you could look into node.js, which runs JS as the server-side platform rather than some other language like PHP or Ruby.
The only other alternative, I think, is the extremely limited "HTTP Basic Auth", which lets you forbid access to certain URLs based on a manually maintained list of passwords.
With HTML and Javascript everything is done on the client side. Without have some type of server side system, anything can be trapped on the client side.
Google offers some ways to use libraries and their servers to build stable login solutions.
https://developers.google.com/+/quickstart/javascript
if you want to store data at server side, then No, you can not do using client script.
But if you want to store it locally, then you can use HTML5 Local Storage.
Also refer javascript-save-local-data

Encrypting pass in javascript with a key, then retrieve the original password (as securely as possible)

I would like to encrypt and save a user password in a database, all this with javascript, and later decrypt it. I would like to use a key to encrypt/decrypt all passwords. I was thinking about storing them in an sqlite database.
Do you think this way the database will be secure in case of theft? I guess it will highly depend on the algorithm and implementation.
Can you point me in the right direction to any library that has this functionality, allows me to encrypt/decrypt?
Can you recommend me a library to handle sqlite db. with javscript?
I would normally do all this with some webscripting language without decrypting the pass, but I need to do this with js. and I am fairly new to the language. So any advices would be appreciated.
Thanks!
Client side code should not be used for securing a connection, as the Javascript code itself was loaded from the insecure connection and is thus prone to tampering.
Just load your script and do all sensitive communication through https and and you should be fine.
If you encrypting/decrypting anything, it should be done on the server.
A hacker can view the source code of the JS to figure out the hashing algorithm, and assuming they're using a packet sniffer or similar piece of software, compare that algorithm to the data sent by the user.
For what you want to achieve, you could connect to the server with HTTPS, and send passwords and receive authentication notices to/from the server via xmlhttprequest.
I do not know of any algorithms for doing everything on the client, probably for the reasons listed above. There are plenty of PHP hashing algorithms however. This site may be of use: http://phpsec.org/
Edit: (Read your comment on the OP) Doesn't Firefox offer this functionality already? In any case, saving passwords made on the local machine can be stored on the local machine. When a page is revisited, you could auto-fill the related password fields. The only security threat there is if the host computer is compromised. I don't know any code samples for this though.

How to create temporary files on the client machine, from Web Application?

I am creating a Web Application using JSP, Struts, EJB and Servlets. The Application is a combined CRM and Accounting Package so the Database size is very huge. So, in order to make Execution faster, I want prevent round trips to the Database.
For that purpose, what I want to do is create some temporary XML files on the client Machine and use them whenever required. How can I do this, as Javascript do not permits me to do so. Is there any way of doing this? Or, is there any other solution which I can adopt in order to make my application Faster?
You do not have unfettered access to the client file system to create a temporary file on the client. The browser sandbox prevents this for very good reasons.
What you can do, perhaps, is make some creative use of caching in the browser. jQuery's data method is an example of this. TIBCO General Interface makes extensive use of a browser cache for XML data. Their code is open source and you could take a look to see how they've implemented their browser cache.
If the database is large and you are attempting to store large files, the browser is likely not going to be a great place for that data. If, however, the information you want to store is fairly small, using an in-browser cache may accomplish what you'd like.
You should be caching on the web server.
As you've no doubt realised by now, there is a very limited set of things you can do on the client machine from a web app (eg, write cookie).
You can make your application use the browser plugin Google Gears, that allows you a real clientside storage.
Apart from that, remember, there is a huge overhead for every single request, if needed you can easily stack a few 100 kB in one response, but far away users might only be able to execute a few requests per second. Try to keep the number of requests down, even if it means adding overhead in form of more data.
#justkt Actually, there is no good reason to not allow a web application to store data. Indeed HTML5 specifications include a database similar to the one offered by Google Gears, browser support is just a bit too sporadic for relying on that feature.
If you absolutely want to cache it on the client, you can create the file on your server and make your web app retrieve it. This way the browser will fetch it and keep it on the client cache.
But keep in mind that this could be a pain for the client if the file is large enough.

Categories

Resources