Re: Security Concern?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
Hi Everyone,

Last week you all helped me with the code to pull the database field names directly from the database rather then being hardcoded by me. Now I got to thinking, that I have exposed my database layout to anyone who can log in and see it. Is that a security issue? I've heard that if an attacker has the field names of a database, it makes it easier for them to try and inject code into it. All my queries to the database are done through prepared statements, and mysqli_real_escape_string. So I've taken care of at least part of it.

I'm thinking that sense you have to log into the website to see the field names, it's okay as long as I trust and monitor my users. But I thought I would pose the question to people who are ALOT more knowledgeable then me :)

Any comments are welcome, if you want to see source let me know and I can shoot you an e-mail off list (Don't really want to expose my code to all the archives just yet :))


As long as you're taking the necessary measures to ensure that your database is not breakable/hackable, then us knowing your schema shouldn't be an issue. I'd bet that one could guess part (or all?) of many people's database schemas b/c they're so generic - and it doesn't really matter to obfuscate them. I don't think it's as important to create obscure database schemas as it is protect how you interact with it.

However, just make sure of the following, and you should be good:

• Use mysql?_real_escape_string as you mentioned
• Use `backticks` around ALL your table and field names:

<?php
$user_id = mysql_real_escape_string ($_GET['user_id']);
$sql = "SELECT `first_name`, `last_name` FROM `user` WHERE (`user_id` = '$user_id')";
?>

With those simple precautions, you should be well-protected.

HTH,
~Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux