jsonp question on usage and security

So i have something that is sending a jquery ajax POST, GET, PUT with the data as json etc to a web service on a different domain.  I have heard about JSONP to some effect to prevent sql injection.  What exactly is jsonp and how exactly would i use it.  I have other cases where i post using json to other apis using curl commands.  Would i need to use it in this case as well or is it only if its coming from the browser.  Everything is going across https.
LVL 4
Brant SnowAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lexlythiusCommented:
About JSONP: http://en.wikipedia.org/wiki/JSON#JSONP

As I understand it, it is a way to circumvent browser's same-origin-policy restriction (en.wikipedia.org/wiki/Same_origin_policy). If you're requesting from an application (e.g., using cURL) the same origin policy is not in effect, so there would be no difference.

I don't see how this might prevent SQL injection, which is an input-sanitizing issue between server-side script and DB. Maybe you meant cross-site scripting (XSS)?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rafiahmadCommented:
json is a data format (in javascript object format), whereas jsonp is a method (similar to ajax) by which you can download data from other domains. The traditional ajax fails in cross domain scenario.

Both ajax and jsonp is liable to sql injection attack if parameter values are not sanitized appropriately. Ajax has both post and get methods, whereas jsonp only works through get method.

In jsonp you download json or xml or any data as a string as a parameter of a callback function. That callback function should exists in your code, which will be executed immediatly after the data load. The download url is placed as "<script src='url'></script>" in the head of html dom tree though dom manipulation.

you need to sanitize your parameters on server side irrespective of whether you send it through browser or using curl.

--rafi
Michel PlungjanIT ExpertCommented:
And the main difference in usage is that inserting the script will not guarantee you got a result so you will have to test that your function is ever called.
Normal AJAX will give a timeout or a 404
GeneralTackettCommented:
SQL injection is not simply a protocol problem it is a design problem.  On the back end you have to protect vs injection.  the method by which your SQL/Parameters etc. get to your server and become inserted into your script are not so important.  What is important is how you handle and preprocess that data before building your queries.
Brant SnowAuthor Commented:
great
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.