How to insert Javascript code in the database?

4

I'm creating a bbcode function for a blog I'm doing and wanted to know if it's possible (and safe) to insert Javascript codes into my database.

I'm working with MySql.

Another question, I can not insert single quotation marks (which are within textarea ) within the database.

This is the code I'm using for insertion

$sql="INSERT INTO artigo values";
$sql.="('null','".$titulo."','".$mensagem."', NOW())";
    
asked by anonymous 09.02.2014 / 16:25

2 answers

3

The answer depends. Whether secure for your database, or if secure for your application.

Database: main SQL Injection attack

If you escape characters and remove codes that could cause a SQL Injection , it will be safe for your database.

All languages that work with databases offer resources to avoid this type of attack. Read about your language to learn more. It is not complex to avoid this kind of attack.

Application: main persistent cross-site scripting (XSS) attack

This question is quite complex and depends on a lot of browser experience and how a flaw can be exploited. If you do not know exactly what you are doing. There is a huge chance that a bug can be exploited because you can allow javascript code to do something harmless, but people use it to steal cookies from someone who is viewing the page and their javascript code is available, and code could send cookies to other sites. This is just one example. But there are many others.

It is complex, if not impossible, to avoid this type of attack. Only trusted users should allow javascript without heavy validation.

I strongly recommend to anyone interested to see the Douglas Crockford: Principles of Security video explaining how complicated it is this and gives an idea of how to avoid.

Overview

Unless you have strong reasons to do this and know the implications, or strongly rely on who will enter the javascript code, do not do this . By default CMSs like Joomla and Wordpress do not allow you to enter javascript, but there are ways to allow javascript to be inserted into articles, but it is the person who manages the CMS who decides to enable it.

    
09.02.2014 / 16:27
3

1. Yes, it is possible .

JavaScript code is text only. Technically, there is no problem with storing in the database. Whether it is recommendable or the best solution is another question.

2. It's safe? It depends.

It completely depends on what you intend to do with that code. Where it comes from, where it goes, and how it is used.

In the database , there is no JavaScript execution environment. It's safe. As stated above, it is just another string of text. You will need to take the precautions common to any other text content, notably escape , avoiding vulnerabilities that are independent of the text being "JavaScript code" or any other type of text.

In application , it depends a lot, varying from extreme to extreme: depending on whether the application is dangerous or secure.

To analyze, you have to start considering: How do you intend to use this code? Who can supply the bank with this code?

The danger of using user-generated JavaScript code is that a malicious user can easily program for an HTTP request to be triggered by triggering other functions of your application (for example, simulating the effect of a click on "Like ", send the authentication cookie to a remote server, et cetera ).

    
09.02.2014 / 16:28