Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I just met a developer who prepended every table and column name in his MYSQL databases with an underscore (e.g. _users, _name, _active). When I questioned the practice he stated that this helps prevent SQL injection attacks – I have never come across this practice/advice before. How does it help to prevent SQL injection attacks?
No.
His thinking goes “If the attacker doesn’t know the name of my tables, then the attacker can’t mess with them.” However, you’re still vulnerable to SQL injection, and the attacker can still cause arbitrary system calls, perhaps to well-known system tables. What if he adds some SQL code that causes very long queries against a system table that bogs down your server?
Security through obscurity is no security at all.