开发者

Does naming your form fields the same as mysql actually pose any security risk?

Is there any reason why you should or shouldn't name your form fields exactly the same as the HTML fields?

<input type="text" name="my_field_1" id="my_field_1" /> --> mysql row my_field_1

or

<input type="text" name="myField1" id="myField1" /> --> mysql row my_fiel开发者_Python百科d_1

The only thing I can think of are probably naming conventions for HTML vs Mysql (personal preference maybe), as well as slight injection prevention (obviously the field name would have to vary more... but all values should be validated first anyway + the use of real escape string).


The only way I can see this could pose a problem is when the attacker knows the name of a protected column in the same table that is not supposed to be changed through the form, and creates a new input element with that name with the intention of "slipping" the value illegally into the table.

That is something that your program must filter out anyway on program level, so there's no problem with naming form fields after your actual column names. You just need to take care to never loop through every available table column or form field, but be picky about what gets updated.

A secondary, very remote risk is that you are exposing column names in your table. So if you're super-paranoid about security, you may want to give the form fields a name different from their column. But I can't see any real necessity for that.


If you're validating then no, but don't limit validation to just what you expect from the form. What if you have a comment table with an owner column and you blindly build a SQL update statement from all the fields in the form, because you know there's no owner field on there? What happens if I use TamperData, a firefox extension which allows me to add data to a request and I add an owner field?

Don't loop through all the fields and accept them, make sure only fields you expect are there and there are no extras!


Agreed. No problem.

In fact, if you name the fields the same as the Table fields you can do some cool looping schemes that make updating or inserting into MySQL more automated.


Actually no one will know that you used the field names instead of custom names (except for some typical column names). How can they now? Maybe you used custom names, maybe not ;)
It makes your code easier to understand if you use the same names and your code will be easier to maintain.

But read the other answers to be aware of the problems that could occur.


It is not a security risk as long as your website is 100% safe for SQL injections. So I would rather worry about that fact, than about choosing/using fieldnames.


No, because you should assume that any attacker has access to your entire source code base anyway, so naming them something different would not reduce their capacity to attack you.

The right way to protect an application is to write it correctly, not hide the information someone might need to attack it (they may get it anyway).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜