1

I am setting up a Google Cloud MySQL instance (But I am willing to use anything else if this is not appropriate) I can only access the database via Javascript which is fine as I can run javascript without it displaying to the end user so I am not worried that database credentials would be leaked. (This is achieved by running a Javascript Web Hook service. The javascript is run through the services own servers and not initialised on the client side. It can even be a CRON job so no client access is required) Please though currently this is not the focus of my question and yes again I know this is far from ideal

My major concern is though of SQL Injections. I come from a PHP background which has a brilliant sanitization setup for database interactions. Of course javascript does not. Is there any other setups like Google Cloud SQL that will take care of the sanitization for me?

Please don't tell me how bad this setup is. I am limited to only using Javascript for database interactions from a HTML form. I know this is far from ideal, but this is why I am asking if there is anything that would be appropriate or if I am barking up the wro

Improve this question
3
  • "I can run javascript without it displaying to the end user" - are you sure? Commented Jul 24, 2014 at 11:56
  • This is taken care of by another service. I mean that the javascript is not needing to run on the client side the service I use will run javascript securely. Again I know it is not ideal, but that is not the focus of my question at this stage Commented Jul 24, 2014 at 12:03
  • +1 For the caveats and hedging! Not a direct answer but a mitigation; consider using a proxy between the JS and Sql servers. One I've used profesionally is greensql[Paid]. It was pretty good and did stop most injection attacks we simulated (after watching for sufficient time to learn usage patterns). I'd be surprised if there isn't a FOSS alternative out there. Commented Jul 24, 2014 at 20:57

1 Answer 1

Reset to default
1

These describe some strategies for dealing with santizing from JavaScript:

The first references Google Caja (at the end), and the second points to the sanitization module from node, which may work for you, depending on your context.

But as above (and in the links), running in the client may expose all of this to your user and allow them to get into and tamper with your database directly.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.