Thread: Security Concern?
View Single Post

  #3 (permalink)  
Old 04-21-2008
Jason Pruim
 
Posts: n/a
Default Re: [PHP] Security Concern?

On Apr 21, 2008, at 11:49 AM, Philip Thompson wrote:

> On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
>> Hi Everyone,
>>
>> Last week you all helped me with the code to pull the database
>> field names directly from the database rather then being hardcoded
>> by me. Now I got to thinking, that I have exposed my database
>> layout to anyone who can log in and see it. Is that a security
>> issue? I've heard that if an attacker has the field names of a
>> database, it makes it easier for them to try and inject code into
>> it. All my queries to the database are done through prepared
>> statements, and mysqli_real_escape_string. So I've taken care of at
>> least part of it.
>>
>> I'm thinking that sense you have to log into the website to see the
>> field names, it's okay as long as I trust and monitor my users. But
>> I thought I would pose the question to people who are ALOT more
>> knowledgeable then me :)
>>
>> Any comments are welcome, if you want to see source let me know and
>> I can shoot you an e-mail off list (Don't really want to expose my
>> code to all the archives just yet :))
>
>
> As long as you're taking the necessary measures to ensure that your
> database is not breakable/hackable, then us knowing your schema
> shouldn't be an issue. I'd bet that one could guess part (or all?)
> of many people's database schemas b/c they're so generic - and it
> doesn't really matter to obfuscate them. I don't think it's as
> important to create obscure database schemas as it is protect how
> you interact with it.

>
>
> However, just make sure of the following, and you should be good:
>
> • Use mysql?_real_escape_string as you mentioned
> • Use `backticks` around ALL your table and field names:
>
> <?php
> $user_id = mysql_real_escape_string ($_GET['user_id']);
> $sql = "SELECT `first_name`, `last_name` FROM `user` WHERE
> (`user_id` = '$user_id')";
> ?>
>
> With those simple precautions, you should be well-protected.

Hey Phillip,

Thanks for the response, I'll have to double check if I have the back
ticks around my field names...

And to complete the archives, I was recommend a couple of books by
Chris Shiftlett Here's the link for anyone who is interested: http://shiflett.org/books

Thanks again for the response!

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@raoset.com



Reply With Quote