Comments on: Client-side SQL Injection Attacks

By: anonymous

anonymous — Thu, 03 Jul 2008 02:49:53 +0000

isnt there protection against that kind of attack?

By: Google Gears: A bit unsafe? - Kartones Blog

Google Gears: A bit unsafe? - Kartones Blog — Sun, 10 Jun 2007 22:00:41 +0000

[...] on the online side there are possible XSS flaws that could be exploited. SQL Injection was feared too, but seems that the Gears DB API uses blind [...]

By: name

name — Sat, 09 Jun 2007 20:22:45 +0000

Even if your SQL queries are right but you trust the user input,

why would anyone trust user input? (When attempting to avoid the obvious, of course)

By: Aaron Boodman (Gears developer)

Aaron Boodman (Gears developer) — Sat, 09 Jun 2007 01:37:18 +0000

You’re right that Gears does open up more possibilities once a website has an XSS hole. Developers will have to treat the client database as suspect and validate it on the server, much the same way they validate other data coming from the client.

By: pdp

pdp — Wed, 06 Jun 2007 18:58:42 +0000

Simon, you are right… the point is that it is still possible. Only the time will show. One thing that Googe Gears definitely promotes is persitent XSS. Even if your SQL queries are right but you trust the user input, you may end up saving JavaScript inside your database and then recalling it everytime the user does an action to retrieve that malicious entry. I know that the Firefox team is also working on a persistent storage for Firefox3 which is also based on SQLite. IE and Opera will follow. That will only increase the attack surface of attacks such as SQL Injection, XSS and CSRF.

By: Simon Willison

Simon Willison — Tue, 05 Jun 2007 22:59:17 +0000

The Google Gears database API uses bind parameters which are immune to SQL injection. Developers could still write bad code, but Gears makes it easy enough to avoid SQL injection that only very poor developers are likely to end up with injection holes.