The WebKit folks just added client-side SQL database support: http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/ http://glazkov.com/blog/html5-gears-wrapper/
In addition to all of the existing attacks through a web browser, we can now take into account SQLite vulnerabilities and client-side SQL injection issues as well. >From the security section of the specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql """ [ 4.11.8.1. User agents ] User agent implementors are strongly encouraged to audit all their supported SQL statements for security implications. For example, LOAD DATA INFILE is likely to pose security risks and there is little reason to support it. In general, it is recommended that user agents not support features that control how databases are stored on disk. For example, there is little reason to allow Web authors to control the character encoding used in the disk representation of the data, as all data in ECMAScript is implicitly UTF-16. [ 4.11.8.2. SQL injection ] Authors are strongly recommended to make use of the ? placeholder feature of the executeSql() method, and to never construct SQL statements on the fly. """ ...because letting developers choose to bind their query parameters has worked so well before ;-) -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
