I’m currently creating a form validation script based on the jQuery validator plugin. So, simple configuration’s went easy, like min length, max length, required, etc.
After that, I decided to check for availability on the username/email from client-side,so I had to use the remote option, which is an option I have to specify when creating the rules array. So, when creating the rules, I had to send data to a php script and check the availability of the input field.
But since i’m going to check for availability for multiple input fields, I created a function(in the client-side) to re-use it for every field, and that function requires the input field’s ID and the MySQL table’s name, to make things clear, here’s the function:
Notes:
1.check_input is a php script that will take the input field’s value and the table to check against and it’ll return a json encoded Boolean value, true if there’s no match in the table, otherwise false.
function check_input(input, table){
$.ajax({
type:"POST",
url:site_url+"site/check_input",
data:{
input:input,
table:table,
}
}).done(function(resp){
var is_unique = JSON.parse(resp);
return is_unique;
});
}
and this function will be called by setting the remote option to
check_input($('#field').val(), 'table.column');.
So, as you see, I must specify my MySQL tables from the client-side, and every user(good&bad ones) can see this, is that considered unsafe or bad practice?
If no, what is the suitable method to check for availability ?
It’s bad design practice as you should decouple your database schema from your client view code (what if you want to change the database schema).
It’s bad security practice because it looks like you are using a string to build a SQL query. If you don’t know about SQL injection attacks, learn about them. This is a classic case.
Put in the extra work and create a proper PHP API that doesn’t require exposing table names.