Backbone.js Security - javascript

i am learning Backbone.js at the moment, so sorry if my question is nooby :-P
in my program i check my data at server-side to be correct and etc ... but i was wondering what will happen if users change the data stored in models using Console in FireBug for example and try .save() or .fetch().
is there any way to stop such actions ?
considering all my data is going to be stored in models and can be easily retrieved by users i am not really comfortable using backbone.js, is it just me or is there something wrong here ?!

A simple and safety way is to include the user credentials (username and password) into your model and check it on the server side to each AJAX calls.
To avoid so much bdd requets, you can also generate an associated array of id => serial key to each logged user on the server side and return it by fetch() during the auth proccess, then, check if the id and the serial key you generated match to each AJAX calls.

but i was wondering what will happen if users change the data stored in models using Console in FireBug for example and try .save() or .fetch().
Then the edited data would be submitted to the server
is there any way to stop such actions ?
No, you just have to deal with them in the same way that you deal with any request: Perform authentication/authorization to make sure that the user making the request is allowed to do so.
considering all my data is going to be stored in models and can be easily retrieved by users i am not really comfortable using backbone.js
Then don't use it.
But don't be paranoid about keeping data secret if it is stuff you would display to the user if you weren't using a client side framework like backbond.

considering all my data is going to be stored in models and can be easily retrieved by users i am not really comfortable using backbone.js, is it just me or is there something wrong here ?!
You aren't doing anything wrong, but not using Backbone won't make your site any more secure. Even if you are not using Backbone, I can fire up the console while on your site and make any ajax request I want to your server. If I wanted to take it further, I could build an application that makes any request I want.
No real security can be implemented client-side. That is the server's responsibility regardless of whether or not you are using something like Backbone.

Related

How to connect dynamic HTML to MySQL

First, I'd like to say this is part of a university undergrad project, so my knowledge will be limited.
I have a MySQL database set up with data and I want to click a button in HTML that queries the database and updates HTML table elements with returned data. I have done A LOT of reading and it always returns to nodejs which I have absolute beginner experience with. I have code set up to query my database with nodeJS which works fine, however, I see absolutely no solution to update the HTML dynamically and I refuse to believe it is not in some way possible. I have read about expressJS templating but this dynamic updating of data is expected to occur hourly from the database (the database is a dummy stand-in for a real-life one) and the expressJS templates are not a good fit at all.
How can I return nodeJS data to a HTML page without serving a new page each time? perhaps return server-side JS data to client-side JS? how does nodeJS allow the HTML to then load client-side JS files? I am unable to get a PHP install working so it's unfortunately not an option. I am open to any alternatives that allows HTML to MySQL connections.
Thanks
I'm not 100% sure what you have set up or what your level of knowledge is, but I hope I can help.
Sounds like you have your server running and querying your DB just fine, so that's good. Now you need to route that to your frontend. This is where expressJS usually comes in. It's a backend framework for creating API's in node. Think of it as a middleman. You send a request to your API, and your API makes a request to the DB and gives you what you want.
To make the request from the frontend, you can use the fetch() API. It's an asynchronous function used to make https requests and receive data. You then need to use that data to dynamically populate your html. Since it's done with javascript, it won't force a reload of the page either.
Feel free to ask questions and hopefully we can get you pointed in the right direction at the very least.

Finding better way of handling user session based data in angular/nodeJS

I have a stored procedure that take too much time to run as it internally does multiple joins on different tables, does group by, order by and then returns response to nodeJS server. The server than passes on this data received from mysql db to angular/client.
Because the client has to wait for too long to let http request complete. I was thinking of better approaches that will shorten the http request completion time.
Need suggestions on how can i handle or make the data in advance that a user will need later.Like adding a small cache database on server that will store user based data and clears out when user session is destroyed.If i go with this approach than which db will be best?
Or instead of having cache Db can i have a json file on server to store users data and use it?
Having a json file on server would be too cumbersome to handle in cases like updation and query in my opinion. Please have a look at memory based dbs for caching purposes if the data doesnt change too often. My recommendation is redis just because i have the best hands on it. However there are many other other options that you can find out with a quick serch like memcached.
Caching strategy only works if the data you are caching doesnt change too quickly. You can explore different schema strategies for the same.

Wondering if I can use mySQLs connection.threadID to continue running queries?

I am new to web development, but I am building a tool to help us visualize the customers in our database in a more concrete way (basically a CRM of sorts). Its a web app using a node.js backend and Vue.js for the front end.
THE BIG QUESTION - I found a connection.threadId query that can be run. If I save this threadID in a cooke or JSON web token, can I use this to have each user uniquely querying the database? If you need additional information on my issue, continue reading.
Essentially the problem I am running into is authentication. We were able to get a dummy user create that has read only privileges to the database, but this doesnt help the account management team. I am trying to find a way for them to be able to login with their own credentials and then be able to run queries from my node.js (javascript) backend using a series of get and post requests.
I am able to get the user to login with the SQL password and they can run the initial query (that fires upon login) but they then cannot re-query the database if someone else logs in after them (I realized that my variables were all globally scoped on the server.) I then moved everything client side in JSON web tokens, but I had to hash the database password to be safe which leaves me with another problem. My hash and the original database hash do not match, and that is not something I'll ever get access to. Not really sure where else to go with this at this point.
Please ask if you need any additional information to assist.
Thanks!
You probably can't.
You also probably shouldn't use variables on the SQL server for a web app like this. If you can refactor those into variables you can schlep around in the user session (or POST parameters or whatever), you're much better off, being more stateless (as far as the server components are concerned) and all too.

How to Log User Experience in Angular/Ionic Mobile App with SQL Server

I am developing an Ionic Application and i want to know which users logged in, which views they went and what errors they faced.
I implemented the same in the .NET Application using NLog. Is there any way in Javascript to post entries in SQL Server or what are the alternatives.
PS: Tried Google Analytics but it is very slow in updating. I need a real time solution for simple usage.
Thanks
There is not a straight forward answer to your question.
Ionic/Angular are front-end applications which generally make calls to exposed endpoints, which in turn, communicate with the database, in your case SQL.
My suggestion:
1) Setup an endpoint on your backend and write some simple logic to accept a message (error msg, which user is logged in, event that happened) to be written to the database.
2) Create a factory/service that will make an aJax call to that endpoint (you'll need to pass your message to this factory from the UI)
3) Use something like $log in Angular to pass the message you want to database to the factory.
You cannot simple hit SQL from Angular and honestly, it is a really bad idea (if you could).

Collecting data from how visitors interact (client-side) with a javascripted form

I'm doing educational research about how students use a web quiz as a study tool. I've set up a web quiz that shows photos of plants and asks students to type in the correct scientific name.
http://www.plantsciences.ucdavis.edu/courses/enh6/quiz/quiz_sn.html
Using something like Google Analytics I can see the number of photos students look at (because each new photo involves a request from the server). But I'd also like to know how many times students type in a correct answer and how many times they type in a wrong answer. The form is all checked client-side using javascript, so giving a right or wrong answer doesn't start any communication with the server.
Is there a way to collect this data using cookies or something? Or can I have the form request a certain single-pixel gif with each right or wrong answer, so the server can record what's happening? Or do I need to reprogram everything and have the form get processed on the server to collect this data?
If you only want to record correct/incorrect answers, the simplest thing to do from what you've already got would be to expose an API on your server where you can send the information you want to store. Then, you can make an AJAX request to it after receiving an answer and your client side application will be nicely decoupled from the server side storage.
At this stage though, your application won't know if an error occurs on the server side of things. This may be what you want to happen if such errors shouldn't affect your application's primary behavior, but you may wish to respond with a success/error (most likely using JSON) to allow your application to react accordingly.

Categories