How can I prevent SQL-injection in Java / JSP on the client side?

Question

What can be done to prevent SQL-injection on the client side? At school, I learned that all queries should be parametrized (PreparedStament, ExecuteQuery ...) But that's all on the server side.

Is there anything that can be done on client side? And why?

Answer 1

Nothing.

Client side code is inherently unsafe see this question. Everything running in (let's assume the browser) can be modified by the end user (after all they've got the scripts/code they can tinker with them to their heart's content). Always assume information coming from the client is malicious.

I suspect the reason you're thinking about client code is because you've heard about client side validation. This is slightly different. Broadly speaking:

• Client side validation prevents the user making a mistake (for example missing out their name or mismatching email addresses). The user can subvert it, it's there to help.
• Server validation is to make sure that everything is valid and safe. It runs on the server so is safe from the client.

This is why many solutions (such as the .NET validators) validate on both the server and the client.

As @FreeAsInBeer mentioned in their comment above some libraries could allow you to connect to a database using javascript (I've never used one myself). The obvious advantage of this is you don't need a server. Again, the same principal applies - you're giving you client side code access to the database which means your malicious user has access to. Be careful what you put in there!