Hi Everyone,
Last week you all helped me with the code to pull the database field
names directly from the database rather then being hardcoded by me.
Now I got to thinking, that I have exposed my database layout to
anyone who can log in and see it. Is that a security issue? I've heard
that if an attacker has the field names of a database, it makes it
easier for them to try and inject code into it. All my queries to the
database are done through prepared statements, and
mysqli_real_escape_string. So I've taken care of at least part of it.
I'm thinking that sense you have to log into the website to see the
field names, it's okay as long as I trust and monitor my users. But I
thought I would pose the question to people who are ALOT more
knowledgeable then me :)
Any comments are welcome, if you want to see source let me know and I
can shoot you an e-mail off list (Don't really want to expose my code
to all the archives just yet :))
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@xxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
