How to avoid SQL injection in a javascript text field? [closed]

Question

Closed. This question is opinion-based. It is not currently accepting answers.

Want to improve this question? Because this question may lead to opinionated discussion, debate, and answers, it has been closed. You may edit the question if you feel you can improve it so that it requires answers that include facts and citations or a detailed explanation of the proposed solution. If edited, the question will be reviewed and might be reopened.

Closed 1 year ago.

Improve this question

I have a javascript code that access a sqlite3 database. I would like to validate my text field value and prevent SQL injection. Is there an "optimum algorithm" for that?

--update: I'm developing a Xulrunner desktop application. Maybe I should use the database in the xpcom component, which is compiled (written in C), so the user will not have access to it..

Presumably the Javascript is not accessing the database directly, as Javascript is normally found on the client side. What are you running on your server? — Oliver Charlesworth
– Oliver Charlesworth, Commented Apr 29, 2011 at 20:10

Cole W · Accepted Answer · 2011-04-29 20:25:30Z

10

Typically SQL injection is avoided using parameterized SQL statements.

Here's an MSDN article describing how you would do this.

Here is another article that describes several ways you can prevent sql injection.

edited Apr 29, 2011 at 20:25

answered Apr 29, 2011 at 20:12

Cole W

15.4k7 gold badges56 silver badges88 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Otávio Décio · Accepted Answer · 2011-04-29 20:10:44Z

6

SQL injection prevention is done at the server side, there is nothing you can do on the client side to prevent it.

answered Apr 29, 2011 at 20:10

Otávio Décio

74.6k18 gold badges167 silver badges230 bronze badges

3 Comments

Gordon Seidoh Worley Over a year ago

Yes, but he's using sqlite3, which I would assume is local rather than on a server.

Dustin Laine Over a year ago

@Gordon Worley, in this context I would say server side would be inclusive of some form of language like PHP, C#, etc. that cannot be disabled/modified by end user.

Otávio Décio Over a year ago

@Gordon Worley -You mean he is accessing a database that resides on the client side? Man, that's a concept. Never thought of it.

Gordon Seidoh Worley · Accepted Answer · 2011-04-29 20:16:00Z

1

I'm not sure what type of environment you're in, but be aware that because of the nature of JavaScript and the way it's often executed in browsers, etc., code injection attacks are relatively easy, so any validation you do on the client side could be side stepped by anyone who is serious about an attack. Not that you shouldn't validate, just that you should be aware that you need to pay attention to where you're running to know if validation is enough.

answered Apr 29, 2011 at 20:16

Gordon Seidoh Worley

8,1367 gold badges51 silver badges90 bronze badges

Collectives™ on Stack Overflow

How to avoid SQL injection in a javascript text field? [closed]

3 Answers 3

Comments

3 Comments

Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

3 Comments

Comments

Linked

Related