On Apr 21, 2008, at 1:46 PM, Jason Pruim wrote:
On Apr 21, 2008, at 11:49 AM, Philip Thompson wrote:
On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
Hi Everyone,
Last week you all helped me with the code to pull the database
field names directly from the database rather then being hardcoded
by me. Now I got to thinking, that I have exposed my database
layout to anyone who can log in and see it. Is that a security
issue? I've heard that if an attacker has the field names of a
database, it makes it easier for them to try and inject code into
it. All my queries to the database are done through prepared
statements, and mysqli_real_escape_string. So I've taken care of
at least part of it.
I'm thinking that sense you have to log into the website to see
the field names, it's okay as long as I trust and monitor my
users. But I thought I would pose the question to people who are
ALOT more knowledgeable then me :)
Any comments are welcome, if you want to see source let me know
and I can shoot you an e-mail off list (Don't really want to
expose my code to all the archives just yet :))
As long as you're taking the necessary measures to ensure that your
database is not breakable/hackable, then us knowing your schema
shouldn't be an issue. I'd bet that one could guess part (or all?)
of many people's database schemas b/c they're so generic - and it
doesn't really matter to obfuscate them. I don't think it's as
important to create obscure database schemas as it is protect how
you interact with it.
However, just make sure of the following, and you should be good:
• Use mysql?_real_escape_string as you mentioned
• Use `backticks` around ALL your table and field names:
<?php
$user_id = mysql_real_escape_string ($_GET['user_id']);
$sql = "SELECT `first_name`, `last_name` FROM `user` WHERE
(`user_id` = '$user_id')";
?>
With those simple precautions, you should be well-protected.
Hey Phillip,
Thanks for the response, I'll have to double check if I have the
back ticks around my field names...
On top of it being for security reasons, it's good to use them so you
won't having a naming conflict with RESERVED words. One time I
scratched my head for a while trying to figure out why my script with
sql wasn't working. Eventually I figured out that I named one of my
fields the same thing as a reserved word. Well, MySQL didn't really
like that. Using backticks *fixed* the problem.
HTH,
~Philip
PS: I try not to use reserved words as field names anymore since some
consider it *bad practice*! =P
And to complete the archives, I was recommend a couple of books by
Chris Shiftlett Here's the link for anyone who is interested: http://shiflett.org/books
Thanks again for the response!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
