All geek questions in one place

Skip client request

Is it good (I mean security reasons) to pass the database request (select or update or something else) on the server side as a parameter (for example, I read the values ​​of the form fields, formed a query string in javascript and passed the generated string for the server as a parameter):

$.ajax({ url : "servletURL", type : "post", data: {query: "select name, last_name from employees"}, success: //do things });

or

 var name = document.getElementById('name').value; var last_name = document.getElementById('last_name').value; $.ajax({ url : "servletURL", type : "post", data: {query: "select * from employees where name="+name+" and last_name="+last_name}, success: //do things });

Or do I need to transfer only parameters to the server, not full requests, and make a prepared statement there?

And, of course, I can check the correctness of the field values ​​before sending the request to the server.

+6
source share
2 answers

Unless you are creating something that is explicitly intended to execute queries in a database (PHPMyAdmin or such), this is NEVER suitable for this.

Why?
Now, an attacker can delete your ENTIRE database by simply editing javascript.

 $.ajax({ url: "", type: "post", data: {query: "DROP database"}, success: })

Best practice is to send data to the server and build the request there.
The only attack left is SQL injection. The solutions for this are specific to each language, but you can take a look at Tom Scott's explanation on it .

+2
source

Do not pass requests as parameters. Better to avoid using query patterns. Security holes are wide open, and to close them you really need a full-fledged SQL parser in your verification code.

In your example, just imagine a man in the middle attack that modifies the generated request

 select * from employees where name='<name>' and last_name='<last_name>'

to

 select * from employees where name='<name>' and last_name='<last_name>' union all select * from employees

just adding the string constant

+2
source

Source: https://habr.com/ru/post/985589/

More articles:


All Articles