keshet keshet - 6 months ago 8
Javascript Question

Pass select query from the client side

Is it OK (I mean security reasons) to pass database query (select or update or whatever) to the server side as parameter (like, I read the values of the form fields, form a query string in javascript and pass the formed string to the server as a parameter):

$.ajax({
url : "servletURL",
type : "post",
data: {query: "select name, last_name from employees"},
success: //do things
});


or

var name = document.getElementById('name').value;
var last_name = document.getElementById('last_name').value;
$.ajax({
url : "servletURL",
type : "post",
data: {query: "select * from employees where name="+name+" and last_name="+last_name},
success: //do things
});


Or should I pass to the server only parameters, not full queries, and make prepared statement there?

And surely, I can check the validity of the field values before I send the request to the server.

Answer

Unless you're building something that is explicitly for executing queries on a database (PHPMyAdmin, or such), it is NEVER okay to do this.

Why?
A malicious user can now delete your ENTIRE database, simply by editing the javascript.

$.ajax({
  url: "",
  type: "post",
  data: {query: "DROP database"},
  success:
  })

The best practice is to send the data to the server, and construct your query over there.
The only attack that is left is SQL-injection. Solutions for this are specific to each language, but you can have a look at Tom Scott's explanation on it.

Comments