var mysql = require('mysql');
var connection = mysql.createConnection({
host : 'localhost',
user : 'meusername',
password : 'secret',
database : 'my_db'
});
connection.connect();
connection.query('SELECT 1 + 1 AS solution', function(err, rows, fields) {
if (err) throw err;
console.log('The solution is: ', rows[0].solution);
});
connection.end();
Above code have some private information like database name, user, password and SQL query too. I am new in node.js and curious to know if a script which have been written on Node.js will save in .js format and what if it contain server side script too? I mean how can it be safe/hidden like .php and aspx?
I would be more than happy if someone explain me in detail and also share some tips to prevent XSS attacks on Node.js.
1 Answer 1
Your question breaks down into two parts:
- Why is server-side JavaScript code save? (it won't be sent to the user)
- Something about XSS
Why is server-side JavaScript code save
You have to execute the code on the server to run it. Like
node index.js
Like with PHP and asp.net, the code is then run on said server. And likewise only the output generated by those scripts/executables will be sent to the client/browser.
The code snippet you posted doesn't even open a listening socket. So no client can connect to it.
You should also have no HTTP Server that serves the folder in which your script are stored. In conclusion: Since the files will never be transferred to the client, you don't need to worry about the secret data that is stored there.
Something about XSS
Your question about XSS is pretty vague. The concept of XSS basically breaks down to:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. (Source)
So as long as the client/user is unable to make the server print unvetted data, you are save.