Use a database column name directly inside an anchor

I have a simple security question which I just can't find the answer to.

Basically I want to order a table after a certain column. They way I do this is by using an anchor with two extra segments. At the moment I'm using the actual column name in one of the segment, the column I want to order, but here I started thinking.

Is this the way to handle it? Well to me it does seem like a huge security risk by giving people access to some of my column names in one of my tables. But on the other hand I will of course escape everything so they won't get any access to do anything. Unfortunately I'm not almighty so I might do something wrong and I'm back to the security risk ;)

So how do I do this? Should I use other kinds of names, like numbers, which I later 开发者_如何学Goconvert back to the column name. Or is my way okey?

Oh forgot to say, I'm working in php with codeigniter!

You could use a whitelist for that: Create a hash in PHP which maps the ancor-column-names to the database-column-names:

$mapping = array('col_a' => 'firstname', 'col_b' => 'lastname');

You could also use exactly the same names, e.g. 'firstname' maps to 'firstname'. Then use the ancor-column-name to get the database-column-name from the mapping hash. If there is no entry for the ancor-column-name, return an error. That way, user-input is validated.

Security by obscurity is no security.

A ton of websites use open source php application which database tables and columns are known. And I don't recall this being very useful during attacks against websites. If you have a SQL injection problem you should not care about the fact your users know your table structures, you better remove the SQL injection point.