Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>TL;DR There is no way to achieve any kind of security that way. You can <strong>never</strong> trust the client.</p> <p>In the end, a browser is just downloading a bunch of HTML and JavaScript files (and images, and CSS, etc.) and executing/presenting them in a window for you, following specifications on how to display HTML and CSS and how to execute JavaScript. An Internet browser isn't saving the files to your disk like you would download a document, but it's really not any different. (well, it <em>is</em> downloading the files, just not in your "Documents" folder) It's just doing everything in the context of browsing the web to make it convenient for the user to view nicely formatted pages, as opposed to HTML markup. But these files are just files and can live (i.e. be read and edited) outside of the browser context.</p> <p>So if you have any sort of secret key in one of your JavaScript files, disallowing Firebug Lite won't prevent anyone from accessing the secret key because I could just download that file with tools like <a href="http://curl.haxx.se/" rel="noreferrer">curl</a> or <a href="http://www.gnu.org/software/wget/" rel="noreferrer">wget</a> and read it in a text editor. Keep in mind that <em>anything</em> done in a browser can be done "manually" with curl.</p> <p>Let's imagine you had a way to disallow Firebug Lite in your page through some JavaScript. I could always use some kind of custom browser that behaves the exact same way as a browser except that it wouldn't execute that particular code. It's a convention that the browser will execute all code served for a page, but nothing technically stops it from being selective. (and many browser extensions actually make them become selective. AdBlock comes to mind)</p> <p>Don't get me wrong: client-side validation in forms is useful and convenient, but it should <strong>never</strong> replace server-side validation. You need to write server-side code that will validate the identity of the user (typically through a cookie) for all queries and only execute the query if that user has the proper permissions. (you would also want to check the validity of the input values of course)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload