I have a website on which i let the user edit the frontend of the website. The user only has access to an editor, not to the server its hosted on.
The user asked me to also allow javascript. This means the user can create his own scripts on the frontend.
What i was worrying was that the user may be use this to do malicious stuff. i'm afraid that if the user knows stuff well enough he might screw over the site.
My questions: - Let's say the user has the connection string of the SQL DB, can he manage to perform queries on that server ? Normally this should be NO as javascript is client side right?
I found the following snippet:
var connection = new ActiveXObject("ADODB.Connection") ;
var connectionstring="Data Source=<server>;Initial Catalog=<catalog>;User ID=<user>;Password=<password>;Provider=SQLOLEDB";
connection.Open(connectionstring);
var rs = new ActiveXObject("ADODB.Recordset");
rs.Open("SELECT * FROM table", connection);
rs.MoveFirst
while(!rs.eof)
{
document.write(rs.fields(1));
rs.movenext;
}
rs.close;
connection.close;
Let's say my connection string looks like
Data Source=(local);Initial Catalog=TestDB;Application Name=TestDB;Integrated Security=True
I have tried to make the script run ,but luckily it showed a blank page. but is this since I'm maybe doing something wrong? or is it indeed cause javascript is client sided and will not allowing doing that sort of stuff?
Other question: - what examples of other risks did i take allowing him to use javascript on the front end? if it's true that javascript is an entirely client side- language, it means that he couldn't do anything else risky right?
from Can end user contact SQL DB if he can write his own Javascript?
No comments:
Post a Comment