Thread: Security Concern?
View Single Post

  #4 (permalink)  
Old 04-22-2008
Philip Thompson
 
Posts: n/a
Default Re: [PHP] Security Concern?
On Apr 21, 2008, at 1:46 PM, Jason Pruim wrote:
>
> On Apr 21, 2008, at 11:49 AM, Philip Thompson wrote:
>
>> On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
>>> Hi Everyone,
>>>
>>> Last week you all helped me with the code to pull the database
>>> field names directly from the database rather then being hardcoded
>>> by me. Now I got to thinking, that I have exposed my database
>>> layout to anyone who can log in and see it. Is that a security
>>> issue? I've heard that if an attacker has the field names of a
>>> database, it makes it easier for them to try and inject code into
>>> it. All my queries to the database are done through prepared
>>> statements, and mysqli_real_escape_string. So I've taken care of
>>> at least part of it.
>>>
>>> I'm thinking that sense you have to log into the website to see
>>> the field names, it's okay as long as I trust and monitor my
>>> users. But I thought I would pose the question to people who are
>>> ALOT more knowledgeable then me :)
>>>
>>> Any comments are welcome, if you want to see source let me know
>>> and I can shoot you an e-mail off list (Don't really want to
>>> expose my code to all the archives just yet :))
>>
>>
>> As long as you're taking the necessary measures to ensure that your
>> database is not breakable/hackable, then us knowing your schema
>> shouldn't be an issue. I'd bet that one could guess part (or all?)
>> of many people's database schemas b/c they're so generic - and it
>> doesn't really matter to obfuscate them. I don't think it's as
>> important to create obscure database schemas as it is protect how
>> you interact with it.
>
>>
>>
>> However, just make sure of the following, and you should be good:
>>
>> • Use mysql?_real_escape_string as you mentioned
>> • Use `backticks` around ALL your table and field names:
>>
>> <?php
>> $user_id = mysql_real_escape_string ($_GET['user_id']);
>> $sql = "SELECT `first_name`, `last_name` FROM `user` WHERE
>> (`user_id` = '$user_id')";
>> ?>
>>
>> With those simple precautions, you should be well-protected.
>
> Hey Phillip,
>
> Thanks for the response, I'll have to double check if I have the
> back ticks around my field names...

On top of it being for security reasons, it's good to use them so you
won't having a naming conflict with RESERVED words. One time I
scratched my head for a while trying to figure out why my script with
sql wasn't working. Eventually I figured out that I named one of my
fields the same thing as a reserved word. Well, MySQL didn't really
like that. Using backticks *fixed* the problem.

HTH,
~Philip

PS: I try not to use reserved words as field names anymore since some
consider it *bad practice*! =P


> And to complete the archives, I was recommend a couple of books by
> Chris Shiftlett Here's the link for anyone who is interested: http://shiflett.org/books
>
> Thanks again for the response!
Reply With Quote