I was thinking to make some jQuery functions that will use ajax to control mysql

Question

I was thinking to make some jQuery functions that will use ajax to control mysql. The whole idea is to make separate files of PHP (e.g query.php, addRow.php, update.php and delete.php) provide data to them via the GET variables like query.php?sql=SELECT * FROM table and then control them with jQuery AJAX functions that I'll make later. Expected code:

$(element).click(function (e) {
    mysql.query("DELETE row FROM table WHERE name = 'John Doe'");
});
And then it'll send query through AJAX and the query will be performed.
So the problem is SECURITY . I mean anyone can just change javascript from browser's inspector or use console to control my databases. What can be done for this problem. Is there anyway to not let anyone change elements in the browser console. If not is there ANYWAY to overcome this security problem?

Explanation / Answer

Never expose direct access to your database from the web layer. You can never lock that down; someone will send "DROP TABLE table" to your server, however much you lock down the JS source.

All they have to do is see what the browser sends to your server to detect that your server accepts arbitrary SQL commands.

Not that you can lock down the JS code; it is not the browser you need to worry about, anyone can send a HTTP request and start introspecting your client-side code anyway.

Build a RESTful API instead, use that from the client. Such an API is limited in the damage it can do if someone starts calling it directly.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.