Security Concern?

Hi Everyone,

Last week you all helped me with the code to pull the database field
names directly from the database rather then being hardcoded by me.
Now I got to thinking, that I have exposed my database layout to
anyone who can log in and see it. Is that a security issue? I've heard
that if an attacker has the field names of a database, it makes it
easier for them to try and inject code into it. All my queries to the
database are done through prepared statements, and
mysqli_real_escape_string. So I've taken care of at least part of it.

I'm thinking that sense you have to log into the website to see the
field names, it's okay as long as I trust and monitor my users. But I
thought I would pose the question to people who are ALOT more
knowledgeable then me :)

Any comments are welcome, if you want to see source let me know and I
can shoot you an e-mail off list (Don't really want to expose my code
to all the archives just yet :))


--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@raoset.com

On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
> Hi Everyone,
>
> Last week you all helped me with the code to pull the database field
> names directly from the database rather then being hardcoded by me.
> Now I got to thinking, that I have exposed my database layout to
> anyone who can log in and see it. Is that a security issue? I've
> heard that if an attacker has the field names of a database, it
> makes it easier for them to try and inject code into it. All my
> queries to the database are done through prepared statements, and
> mysqli_real_escape_string. So I've taken care of at least part of it.
>
> I'm thinking that sense you have to log into the website to see the
> field names, it's okay as long as I trust and monitor my users. But
> I thought I would pose the question to people who are ALOT more
> knowledgeable then me :)
>
> Any comments are welcome, if you want to see source let me know and
> I can shoot you an e-mail off list (Don't really want to expose my
> code to all the archives just yet :))


As long as you're taking the necessary measures to ensure that your
database is not breakable/hackable, then us knowing your schema
shouldn't be an issue. I'd bet that one could guess part (or all?) of
many people's database schemas b/c they're so generic - and it doesn't
really matter to obfuscate them. I don't think it's as important to
create obscure database schemas as it is protect how you interact with
it.

However, just make sure of the following, and you should be good:

• Use mysql?_real_escape_string as you mentioned
• Use `backticks` around ALL your table and field names:

<?php
$user_id = mysql_real_escape_string ($_GET['user_id']);
$sql = "SELECT `first_name`, `last_name` FROM `user` WHERE (`user_id`
= '$user_id')";
?>

With those simple precautions, you should be well-protected.

HTH,
~Philip

On Apr 21, 2008, at 11:49 AM, Philip Thompson wrote:

> On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
>> Hi Everyone,
>>
>> Last week you all helped me with the code to pull the database
>> field names directly from the database rather then being hardcoded
>> by me. Now I got to thinking, that I have exposed my database
>> layout to anyone who can log in and see it. Is that a security
>> issue? I've heard that if an attacker has the field names of a
>> database, it makes it easier for them to try and inject code into
>> it. All my queries to the database are done through prepared
>> statements, and mysqli_real_escape_string. So I've taken care of at
>> least part of it.
>>
>> I'm thinking that sense you have to log into the website to see the
>> field names, it's okay as long as I trust and monitor my users. But
>> I thought I would pose the question to people who are ALOT more
>> knowledgeable then me :)
>>
>> Any comments are welcome, if you want to see source let me know and
>> I can shoot you an e-mail off list (Don't really want to expose my
>> code to all the archives just yet :))
>
>
> As long as you're taking the necessary measures to ensure that your
> database is not breakable/hackable, then us knowing your schema
> shouldn't be an issue. I'd bet that one could guess part (or all?)
> of many people's database schemas b/c they're so generic - and it
> doesn't really matter to obfuscate them. I don't think it's as
> important to create obscure database schemas as it is protect how
> you interact with it.

>
>
> However, just make sure of the following, and you should be good:
>
> • Use mysql?_real_escape_string as you mentioned
> • Use `backticks` around ALL your table and field names:
>
> <?php
> $user_id = mysql_real_escape_string ($_GET['user_id']);
> $sql = "SELECT `first_name`, `last_name` FROM `user` WHERE
> (`user_id` = '$user_id')";
> ?>
>
> With those simple precautions, you should be well-protected.

Hey Phillip,

Thanks for the response, I'll have to double check if I have the back
ticks around my field names...

And to complete the archives, I was recommend a couple of books by
Chris Shiftlett Here's the link for anyone who is interested: http://shiflett.org/books

Thanks again for the response!

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@raoset.com

On Apr 21, 2008, at 1:46 PM, Jason Pruim wrote:
>
> On Apr 21, 2008, at 11:49 AM, Philip Thompson wrote:
>
>> On Apr 21, 2008, at 8:03 AM, Jason Pruim wrote:
>>> Hi Everyone,
>>>
>>> Last week you all helped me with the code to pull the database
>>> field names directly from the database rather then being hardcoded
>>> by me. Now I got to thinking, that I have exposed my database
>>> layout to anyone who can log in and see it. Is that a security
>>> issue? I've heard that if an attacker has the field names of a
>>> database, it makes it easier for them to try and inject code into
>>> it. All my queries to the database are done through prepared
>>> statements, and mysqli_real_escape_string. So I've taken care of
>>> at least part of it.
>>>
>>> I'm thinking that sense you have to log into the website to see
>>> the field names, it's okay as long as I trust and monitor my
>>> users. But I thought I would pose the question to people who are
>>> ALOT more knowledgeable then me :)
>>>
>>> Any comments are welcome, if you want to see source let me know
>>> and I can shoot you an e-mail off list (Don't really want to
>>> expose my code to all the archives just yet :))
>>
>>
>> As long as you're taking the necessary measures to ensure that your
>> database is not breakable/hackable, then us knowing your schema
>> shouldn't be an issue. I'd bet that one could guess part (or all?)
>> of many people's database schemas b/c they're so generic - and it
>> doesn't really matter to obfuscate them. I don't think it's as
>> important to create obscure database schemas as it is protect how
>> you interact with it.
>
>>
>>
>> However, just make sure of the following, and you should be good:
>>
>> • Use mysql?_real_escape_string as you mentioned
>> • Use `backticks` around ALL your table and field names:
>>
>> <?php
>> $user_id = mysql_real_escape_string ($_GET['user_id']);
>> $sql = "SELECT `first_name`, `last_name` FROM `user` WHERE
>> (`user_id` = '$user_id')";
>> ?>
>>
>> With those simple precautions, you should be well-protected.
>
> Hey Phillip,
>
> Thanks for the response, I'll have to double check if I have the
> back ticks around my field names...

On top of it being for security reasons, it's good to use them so you
won't having a naming conflict with RESERVED words. One time I
scratched my head for a while trying to figure out why my script with
sql wasn't working. Eventually I figured out that I named one of my
fields the same thing as a reserved word. Well, MySQL didn't really
like that. Using backticks *fixed* the problem.

HTH,
~Philip

PS: I try not to use reserved words as field names anymore since some
consider it *bad practice*! =P


> And to complete the archives, I was recommend a couple of books by
> Chris Shiftlett Here's the link for anyone who is interested: http://shiflett.org/books
>
> Thanks again for the response!