0

I came to think about this question a few days ago when I desinged an HTML form that submits data via php to an SQL database. I solved my problem, but I am asking here a computer-theoretical question, which might help me (or others) in the future.

I want to protect myself from SQL-injection, and I thought that instead of validating the data by the php on the server side, I can have the javascript validate the data on the client side (I am much more fluent in JS than in PHP) and then send it.

However, a sophisticated user might inspect the javascript (or the HTTPrequest) and then alter it to send his own vicious request to the server.

My question:

Is it theoretically possible to do a computation on the clinet side, where the code is visible to him, and have it sent with some way that ensures that the data was sent from my program and not from an altered code?

Can this be done by an RSA-scheme with public and private keys?

yohai
  • 438
  • 5
  • 15

1 Answers1

1

I want to protect myself from SQL-injection, and I thought that instead of validating the data

Don't validate data to protect yourself from SQL Injection. Validate data to make sure it is in the format you want.

Escape data to protect yourself from SQL Injection (and do that escaping via prepared statements and parameterized queries).

Is it theoretically possible to do a computation on the clinet side, where the code is visible to him, and have it sent with some way that ensures that the data was sent from my program and not from an altered code?

No. The client side code can be bypassed entirely. In this arena, it is useful only to quickly tell the user that their data would be rejected if it was submitted to the server.

Can this be done by an RSA-scheme with public and private keys?

No. You have to give one of the keys to the client. It can then be extracted and used independently of your code.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335