1

I am setting up a Google Cloud MySQL instance (But I am willing to use anything else if this is not appropriate) I can only access the database via Javascript which is fine as I can run javascript without it displaying to the end user so I am not worried that database credentials would be leaked. (This is achieved by running a Javascript Web Hook service. The javascript is run through the services own servers and not initialised on the client side. It can even be a CRON job so no client access is required) Please though currently this is not the focus of my question and yes again I know this is far from ideal

My major concern is though of SQL Injections. I come from a PHP background which has a brilliant sanitization setup for database interactions. Of course javascript does not. Is there any other setups like Google Cloud SQL that will take care of the sanitization for me?

Please don't tell me how bad this setup is. I am limited to only using Javascript for database interactions from a HTML form. I know this is far from ideal, but this is why I am asking if there is anything that would be appropriate or if I am barking up the wro

Somk
  • 11,869
  • 32
  • 97
  • 143
  • "I can run javascript without it displaying to the end user" - are you *sure*? – Grim... Jul 24 '14 at 11:56
  • This is taken care of by another service. I mean that the javascript is not needing to run on the client side the service I use will run javascript securely. Again I know it is not ideal, but that is not the focus of my question at this stage – Somk Jul 24 '14 at 12:03
  • +1 For the caveats and hedging! Not a direct answer but a mitigation; consider using a proxy between the JS and Sql servers. One I've used profesionally is [greensql](http://www.greensql.com/product/database-security)[Paid]. It was pretty good and did stop most injection attacks we simulated (after watching for sufficient time to learn usage patterns). I'd be surprised if there isn't a FOSS alternative out there. – Basic Jul 24 '14 at 20:57

1 Answers1

1

These describe some strategies for dealing with santizing from JavaScript:

The first references Google Caja (at the end), and the second points to the sanitization module from node, which may work for you, depending on your context.

But as above (and in the links), running in the client may expose all of this to your user and allow them to get into and tamper with your database directly.

Community
  • 1
  • 1
Chris Westin
  • 1,160
  • 1
  • 12
  • 12