Once you entrust the computation entirely to the client, the game is over. Even if your scripts are bulletproof, the user can still load their own scripts locally (for a benign example, see GreaseMonkey) - and access the clientside db on their own, bypassing your scripts.
In my opinion, the only useful application of a client-side database with an untrusted client (which is to say, almost any client) is mirroring/caching parts of the main, serverside db - so that the client doesn't have to pull data over the network on repeated requests (If such clientside db gets corrupted, just invalidate it and load the data from the server again).
I'm not sure about HTML5 and local databases, but on server-side it's better to use prepared statements rather than escaping. I believe it's the same with databases on client-side.
i think, Even if you sanitize your inputs on your javascript that will leave your system vulnerable to attacks. Also it would be redundant if you place an input sanitizer at your javascript and place another one on your php file.
This library can be used both client-side and server-side. I use it server-side in a classic ASP project running the library under the ASP JScript host.
There are libraries to help you with that. You can use sqlstring which is a small utility to escape values to be passed to MySQL as parts of a query.
Another useful library is prep-composer (which I am developing). It focuses on composing complex queries for all SQL dialects. It's not a query builder like Knex.js but it gives you more flexibility. You can pass the values inline while composing a query and it keeps track of there positions and order. It works with third party escaping libraries like sqlstring.
Usage example:
const name = "O'Brien";
const jobTitles = ['Developer', 'Designer'];
const selectFromPart = sql('SELECT * FROM', $['my_db']['employees']);
const conditionPart = sql('name =', $(name), 'AND job_title IN (', $(jobTitles), ')');
const query = sql(selectFromPart, 'WHERE', conditionPart);
console.log(query.toString());
// SELECT * FROM `my_db`.`employees` WHERE name = ? AND job_title IN ( ?, ? )
The output can be used in a prepared statement (for maximum safety) but escaping is also possible. Parameter values are accessed via query.parameters.
发布评论
评论(6)
一旦你将计算完全委托给客户端,游戏就结束了。即使您的脚本是防弹的,用户仍然可以在本地加载自己的脚本(有关良性示例,请参阅 GreaseMonkey) - 并绕过您的脚本自行访问客户端数据库。
在我看来,具有不受信任的客户端(也就是说,几乎所有客户端)的客户端数据库的唯一有用的应用程序是镜像/缓存主服务器端数据库的部分 - 这样客户端就不必拉取重复请求时通过网络传输数据(如果此类客户端数据库损坏,只需使其无效并再次从服务器加载数据)。
Once you entrust the computation entirely to the client, the game is over. Even if your scripts are bulletproof, the user can still load their own scripts locally (for a benign example, see GreaseMonkey) - and access the clientside db on their own, bypassing your scripts.
In my opinion, the only useful application of a client-side database with an untrusted client (which is to say, almost any client) is mirroring/caching parts of the main, serverside db - so that the client doesn't have to pull data over the network on repeated requests (If such clientside db gets corrupted, just invalidate it and load the data from the server again).
我不确定 HTML5 和本地数据库,但在服务器端,最好使用准备好的语句而不是转义。我相信客户端的数据库也是如此。
I'm not sure about HTML5 and local databases, but on server-side it's better to use prepared statements rather than escaping. I believe it's the same with databases on client-side.
使用准备好的语句。
http://dev.w3.org/html5/webdatabase/#sql-injection< /a>
Use prepared statements.
http://dev.w3.org/html5/webdatabase/#sql-injection
我认为,即使您清理了 javascript 上的输入,也会使您的系统容易受到攻击。另外,如果您在 javascript 中放置一个输入清理程序,并在 php 文件中放置另一个输入清理程序,这将是多余的。
i think, Even if you sanitize your inputs on your javascript that will leave your system vulnerable to attacks. Also it would be redundant if you place an input sanitizer at your javascript and place another one on your php file.
使用 Google 的 JavaScript Html Sanitizer,它是 Caja 发行版的一部分,位于:
http://code.google.com/p/google-caja/
此库可以在客户端和服务器端使用。我在一个经典 ASP 项目的服务器端使用它,该项目在 ASP JScript 主机下运行该库。
Use Google's JavaScript Html Sanitizer available as part of the Caja distribution at:
http://code.google.com/p/google-caja/
This library can be used both client-side and server-side. I use it server-side in a classic ASP project running the library under the ASP JScript host.
有一些库可以帮助您做到这一点。您可以使用 sqlstring 这是一个小实用程序,用于转义要作为查询的一部分传递给 MySQL 的值。
另一个有用的库是 prep-composer (我正在开发)。它专注于为所有 SQL 方言编写复杂查询。它不是像 Knex.js 这样的查询生成器,但它为您提供了更大的灵活性。您可以在编写查询时内联传递值,它会跟踪这些位置和顺序。它可以与sqlstring等第三方转义库配合使用。
用法示例:
输出可以在准备好的语句中使用(为了最大程度的安全),但也可以进行转义。参数值通过
query.parameters访问。There are libraries to help you with that. You can use sqlstring which is a small utility to escape values to be passed to MySQL as parts of a query.
Another useful library is prep-composer (which I am developing). It focuses on composing complex queries for all SQL dialects. It's not a query builder like Knex.js but it gives you more flexibility. You can pass the values inline while composing a query and it keeps track of there positions and order. It works with third party escaping libraries like sqlstring.
Usage example:
The output can be used in a prepared statement (for maximum safety) but escaping is also possible. Parameter values are accessed via
query.parameters.