JS: SQL type injection in JS??

[arundracula]

You might know what SQL injection in PHP mysql queries..

Closing the mysql query manually and deleting the table..

Adding extra parameters to make the query always true and logging in..

This was in earlier PHP, however we can avoid these by magic_quotes...

My question is that Will this trick work in a javascript function which accept a variable? If yes how to avoid it?

For eg:

Code:

function testFunction(variable){
 //doSomething with variable
}

In the above code we can run the function from location bar by typing javascript:testFunction(var);

If the var is typed in as in the SQL injection method(manually closing the function parenthesis and writing a code to create a file in the server...), will it make any problem?

[icio]

The generally accepted mindset is to ignore security in client-side scripts (JS), and implement it entirely in server-side scripts (e.g. PHP). This is because the user is able to interface with your server in any which way they like.

For example, making sure that your form meets the requirements you have set by testing them with a JavaScript script it useless, because the user can just write their own form and submit it to your server. Alternatively, instead of writing their own form, they could load up your page and execute any arbitrary JavaScript code they like.

Quite simply, the user is able to alter anything you write in JavaScript. This is not the case server-side and thus we implement security features. You need only worry about your client-side scripts working.

With that said, there are certain inputs that might break your script depending on what you are doing with said input. For example, if you are putting the string through an `eval` call then the user might inject some code. Similarly if you are generating URLs the user might provide unexpected content to alter the URL in an undesirable way.

This is why we have the escape functions `escape`, `encodeURI` and `encodeURIComponent`.

Hope that helps

[arundracula]

Ya.. It surely helped...
Now my thoughts are like this...
Make a basic working of the client side for normal users...

Check and validate all incomings to Server...

And I do beleive in NOT TRUSTING THE USER.. whether he may a hacker or a "mis-typed" ones

[icio]

Good Glad it helped.

[jwilliam]

I'd also suggest reading the wikipedia entry on cross-site scripting attacks. Depending on what you're allowing users to do on your website, this could be a possible threat too.