使用JavaScript清理SQL输入的最佳实践? [英] Best Practices for Sanitizing SQL inputs Using JavaScript?
问题描述
因此,使用HTML5在客户端提供本地SQL数据库时,如果您要编写选择或插入内容,则不再能够通过说 $ buddski = mysql_real_escape_string来清理第三方输入。 ($ tuddski),因为PHP解析器和MySQL桥距离很远。这是SQLite的全新世界,您可以在其中组合查询并使用JavaScript解析结果。
So, with HTML5 giving us local SQL databases on the client side, if you want to write a select or insert, you no longer have the ability to sanitize third party input by saying $buddski = mysql_real_escape_string($tuddski) because the PHP parser and MySQL bridge are far away. It's a whole new world of SQLite where you compose your queries and parse your results with JavaScript.
但是,尽管您可能没有关闭整个站点的数据库,但由于恶意注入攻击而损坏数据库或擦除数据库的行为将非常令人沮丧。
But while you may not have your whole site's database go down, the user who gets his/her database corrupted or wiped due to a malicious injection attack is going to be rather upset.
因此,在纯JavaScript中逃避/清理您的输入,以便它们不会对用户的内置数据库造成破坏?
So, what's the best way, in pure JavaScript, to escape/sanitize your inputs so they will not wreak havoc with your user's built-in database?
脚本?规格?有人吗?
推荐答案
一旦将计算完全委托给客户端,游戏就结束了。即使您的脚本是防弹的,用户仍可以在本地加载自己的脚本(有关良性示例,请参阅GreaseMonkey)-并绕过您的脚本自行访问客户端数据库。
Once you entrust the computation entirely to the client, the game is over. Even if your scripts are bulletproof, the user can still load their own scripts locally (for a benign example, see GreaseMonkey) - and access the clientside db on their own, bypassing your scripts.
在我看来,具有不受信任的客户端(也就是说,几乎所有客户端)的客户端数据库唯一有用的应用程序是主服务器端数据库的镜像/缓存部分,因此客户端不会不必重复请求就可以通过网络提取数据(如果这样的客户端数据库损坏了,只需使其无效并再次从服务器加载数据即可。)
In my opinion, the only useful application of a client-side database with an untrusted client (which is to say, almost any client) is mirroring/caching parts of the main, serverside db - so that the client doesn't have to pull data over the network on repeated requests (If such clientside db gets corrupted, just invalidate it and load the data from the server again).
这篇关于使用JavaScript清理SQL输入的最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
