March 16, 2007 - 10:15 UTC - Tags: javascript security sql injection
I was looking through my log and found a referer entry where somone had searched google with the search term "javascript+validation+to+avoid+SQL+injection". It seems some developers still don't understand that trying to lock up an application on the client side using javascript is impossible. It is like trying to avoid burglaries to your home by locking the doors to the homes of every thief around.
Some example techniques for circumventing javascript validation are:
- disabling javascript in your browser
- Changing the data using a proxy
- Changing the data using a browser plugin (e.g. Firefox: Live HTTP headers)
There is no client side security in web applications. _Client side_ javascript validation is purely cosmetic. It helps make the application more user friendly, and avoids stressing the server with erronous data from users without evil intentions. _Client side_ javascript validation has nothing to do with security.
Update 2010-05-30: There are now several frameworks that run javascript on the serverside, and in this scenario the search may be valid. I suggest though that you include the framework name in your search. And of course remember to do the validation server side. But actually validation is not the correct way to avoid sql-injection. You avoid it by escaping the data before sticking it in the query. See
"Why input validation is not the solution for avoiding SQL injection and XSS" and part
one and
two of the
security craftsman series.