What is Database Connectivity for JavaScript?

IBM® Database Connectivity for JavaScript™ is middleware that enables Web clients to directly access server-side relational data without compromising enterprise security.

"Directly access" without compromising "enterprise security", yeah...

On the client, IBM Database Connectivity for JavaScript consists of a JavaScript API and library that can be used by Web applications without special browser plug-ins. On the server, the IBM Database Connectivity for JavaScript gateway, written in PHP, is an adaptor layer that mediates between IBM Database Connectivity for JavaScript and relational databases and provides functions such as operation forwarding and security. Web 2.0 applications can thus use IBM Database Connectivity for JavaScript to access relational data as a first-class construct instead of through ad hoc protocols.

Before you start wondering (like I did) what "operation forwarding" and "security" mean in this context, I'll tell you since I bothered to read the source code: it's just a thin layer with a JDBC-like API which allows JavaScript code to compose and submit SQL statements from the client side!
Security, if any, needs to be enforced at the database level, and access credentials are sent from the client side as well.

IBM Database Connectivity for JavaScript supports the trend for Web applications to be dynamically composed in a Web browser -- so-called "Web 2.0" applications -- instead of being completely composed on the server ("Web 1.0").

First "enterprise", now "Web 2.0"...

IBM Database Connectivity for JavaScript is specifically geared toward enabling the potential Web 2.0 benefits of increased application responsiveness and the ability to flexibly combine information from various sources on the client. Web 2.0 access to server-side data, however, is currently characterized by Representational State Transfer (REST)-like APIs, which are typically application specific.

Bah, those old-fashioned resource mappings which (try to) expose only the data subsets relevant to the application front-end...
But now we can unleash the full power of SQL: free queries to all our databases for everyone in the fantastic world of Web 2.0!

ODBC is powerful -- allowing any SQL statement to be executed -- and simple, in the sense that developers are required to understand only a few abstractions. IBM Database Connectivity for JavaScript can be thought of as an "ODBC for Web clients," enabling Web developers to benefit from a general-purpose API for accessing relational data.

Great work IBM! Now please convince some of your many banking customers to deploy this fantastic technology on their Internet-facing web servers, and we'll be happy to "benefit from a general purpose API for accessing relational data" directly from Firebug, thanks!

9 Responses to “We Don't Need SQL Injection Anymore...”

  1. #1 remy says:

    are they crazy?

    security and javascript access to databases? Yes, Ying and Yang :P

    I hope nobody new to web technologies use this crap.

    It's a pity that they have no real time demos :D

    happy hacking ;)

  2. #2 ascii says:

    Just. Amazing.

  3. #3 foo says:

    Well, as far as i see, its not that bad. They use stored procedures (and you have some degree of control what procedures may be called - there's a whitelist of OK ones). So you can't inject arbitrary code.

    Well I dont say I would use a bank that uses this kond of technology, but for some low-security applications - for example some CMS it might be nice (i imagine that this kind of code is written fast).

    But I'm not a website security expert. And I'd like to see conceptual example of hack using stored procedures.

  4. #4 klurf says:

    Lol,its worth to read the research report

    "The DBC-JS API requires that clients authenticate themselves to the server with a name and password
    when first establishing a connection to the server.
    These credentials are passed on each message from
    client to the server which authenticates the client on a per.message basis."


    "DBC_JS prevents SQL injection atatcks by
    using a prepared statement API. Since the parameter values are never parsed as SQL,
    injection attacks cannot occur"

    2nd Level injection?
    Not to mention DOS Attacks

    Not to mention the idea in general to make business logic at client site.
    Example source form the PDF:

    if (validPassword)

  5. #5 Giorgio says:

    DBC-JS, as you can see by the source code, the demo and the paper, allows usage of prepared statement and stored procedures, but does not enforce it.
    Even the example at the end of the paper is "select * from books" entered in a browser input box.
    Guess what the underpaid junior developers who can "understand only a few abstractions" are going to do?

  6. #6 links for 2008-06-13 | Yostivanich.com says:

    [...] hackademix.net » We Don’t Need SQL Injection Anymore… This is stupid, allowing javascript to exucute sql queries, client side is rife with issues. (tags: javascript security sql ibm) [...]

  7. #7 Slim Amamou says:

    looks like dbslayer for ODBC http://code.nytimes.com/projects/dbslayer

  8. #8 Giorgio says:

    @Slim Amamou:
    yes, NYT's DBSlayer is quite similar in concept.
    But NYT folks are running their bridge as a separate and private load balancing daemon (port 9090 by default), and they don't suggest to query it directly from the client.
    Their samples are in PHP and Ruby, server side indeed.

  9. #9 Jan says:

    It's emerging software, no support, use at your own risk. For me it's intresting idea which needs work.

Bad Behavior has blocked 729 access attempts in the last 7 days.