Web Security Workbook

# Secure APIs

An architect should provide secure APIs for e.g. database queries to avoid the usage of potentially insecure functions.

# Background

Especially when working with inexperienced developers the creation of secure APIs is adviced. Through this, the usage of insecure methods, regardless of their nature (binding to the DOM, or querying data), is only available through an API which was implemented securely. Consequently, developers do not use methods that could lead to security issues in the first place.

# Example

The following example shows a secure API the query data from the "User" table using the mysql (opens new window) Library in JavaScript. Using this method, an inexperienced developer will not use insecure methods as described here. By passing an JSON array containing objects with an attribute and their corresponding constraint, the WHERE clause of the SQL query is filled securely using placeholders. Next, the created query is send to the database with the constraints passed via the placeholders making the query secure.

function queryUser(conditions){
    let query = "SELECT * FROM User WHERE"
    let inputs = []
    conditions.forEach(condition => {
        query += " " + condition.attribute + " = ?"
        inputs.push(condition.constraint)
    });
    
    databaseConnection.query(query, inputs)

}
Last Updated: 3.7.2022, 15:51:46

Validation