Comments on: Server Side JavaScript Databases Access

By: crock

crock — Sat, 09 Feb 2008 00:41:50 +0000

SQL is fine in a server, if it is hidden safely behind a tier of some sort. Exposing an SQL interface to the network is inexcusably dangerous. A client service that would make it seem to be a good idea to expose the database to the network will induce good people to do very bad things, as we have seen here. Gears and AIR do this. It is possible to use them well. It is also possible to use them very badly.

By: wgyouree

wgyouree — Fri, 08 Feb 2008 21:40:51 +0000

I’m not positive but I think you could execute code from a bookmarklet on a webpage implementing this setup and from that bookmarklet code make SQL queries and updates to the server-side database. Something such as “DROP TABLE Demo” comes to mind as a statement that could do some damage. That is, if those proxy methods are exposed to the client’s JavaScript runtime.

By: wgyouree

wgyouree — Fri, 08 Feb 2008 20:51:33 +0000

@balupton and @liming

I think you’ve missed @crock’s point. He’s not saying using SQL with the Jaxer Server is a problem, he’s saying there is a potential security risk in using a mashup between the client side SQL of Google Gears and the server-side SQL of Jaxer.

Unless I’m mistaken, doing a “sync” of the server to client side database would create an opportunity for SQL injection attacks on the local database.

“This now allows me to run the addPhrase code from the browser, and it will be proxied up to the server to actually execute that INSERT statement.” – This seems to indicate that an SQL statement will be executed from the client to the server, creating a potential for an SQL injection attack against the server.

I think the risks could be mitigated (ie, balupton’s managed hooks), but there is an increased potential for a security breach.

I may also have totally misunderstood the situation Dion is describing. Let me know if I have.

By: Liming

Liming — Fri, 08 Feb 2008 18:29:14 +0000

agree with balupton.

Jaxer exposes the sql interface on the server side, not client-side. The snippet above didn’t include , so maybe that’s where the confusion is for a lot of people.

I suggest ppl try it out first, dig around a bit before scratching the idea all together.

By: balupton

balupton — Fri, 08 Feb 2008 03:08:21 +0000

@crock, that’s the beauty of Jaxer, you can run the SQL interface just server side, it will not be available client side (with the exception of managed hooks whatever, which should be secure if written correctly).

By: crock

crock — Thu, 07 Feb 2008 14:45:33 +0000

When the Gears team announced that they where using SQLite for persistence, I tried to warn them that it would be an attractive nuisance. I warned them that having a client-side SQL interface would induce some idiot into exposing a server-side SQL interface in the interest of saving a little bit of effort. The obvious problem is that exposing SQL to the net is extremely dangerous because of XSS and other attacks. It puts too much authority into the hands of the attackers.

I never imagined that that idiot would be you.

By: balupton

balupton — Wed, 06 Feb 2008 16:02:54 +0000

Great work. I think Jaxer is quite a step in the right direction. Although I see it more used for DOM modification than server-side actions. So use it as for a templating system, by having one template system that runs server and client side, you can have a data.php that retrieves all the data, and a template.php that retrieves a single template (say for a search result) which is then populated by the many rows of data, reducing bandwidth, and providing quite the web 2.0 experience. So with jaxer, if the user does not have js enabled, the [same] template system will just run server side instead. The implementation I am eyeing is: http://code.google.com/p/jsmarty/ although it still needs some work…