1

I'm a junior PHP developer currently working on a project with a small team. It's the first time I've worked in a team on a project so I'm learning lots and building team working skills.

There is one specific thing I noticed that my fellow developers do and I believe could be a large security risk. When creating forms they will give the input name the column name in the database. This means that wherever the data is posted they can use a nifty for each loop going through the POST array. Sure, it's pretty and easy, but do I want users to see the names of columns?

I'm not sure if it does pose a security risk (first thing I think of is SQL injection) but if it does what can be done?

I suppose you could possibly hash the names of the inputs? Still, that's not totally 100% secure. What if in the form page the names are things like 'apple64', 'banana99', 'chickens' and then in the PHP file they're converted to their corresponding column names?

The point of my question is to find general practice for this (possible) security vulnerability.

jskidd3
  • 4,609
  • 15
  • 63
  • 127
  • when you are inserting password into db it will be base64_encoded or use md5 so your password will be secure.Check if it is not empty or html special character or html entities this all are sql injection – Agha Umair Ahmed Jan 28 '14 at 12:34
  • 2
    imho if u keep in mind not trusting user input and validating the input than there is no problem with naming the fields like the columns. Further more I think this is good practise. This is a good way for new members in the team to integrate fast into the code. Imagine if every field was provided with a hashed name, then u would need to translate every hash for yourself to be able to know which is what. – DarkBee Jan 28 '14 at 12:35
  • @DarkBee Sure, that's definitely the case but security should always come first IMO. If it doesn't pose a threat however I totally agree with you (which I think you're suggesting) – jskidd3 Jan 28 '14 at 12:36
  • 2
    @AghaUmairAhmed MD5 and base64 are not secure... use the password_hash function available in >= 5.5.0 (http://www.php.net/manual/en/function.password-hash.php) – DarkBee Jan 28 '14 at 12:36
  • They just foreach the POST and insert? What library do you use? If multi queries are enabled and someone inserts something like `"1234';DROP DATABASE` what not be nice – Daniel W. Jan 28 '14 at 12:40
  • @AghaUmairAhmed: **`base64_encode` for password storage?!** Why would you ever do that? – DCoder Jan 28 '14 at 12:43
  • 1
    Having names of columns in your code is in no way insecure. If you were obfuscating them just for the sake of it, that would be classic __security through obscurity__. – sevenseacat Jan 28 '14 at 12:49

2 Answers2

1

Such a general practice is called "whitelisting".

You are positively right about this vulnerability. And for a junior developer you have a very good eye. As a matter of fact, most people who call themselves "professionals" never bother themselves with such questions.

So, to prevent an ordinary SQL injection and also to prevent random access to table fields (a user may be disallowed to some of them), you have to verify your post data against a pre-written whitelist.

Here you can see my approach for either classic mysql or PDO as an example.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
-1

When you develop, you have to give to user the minimal informations. Headers / DB name / Column name etc..

The risk of the sql injection exist if your form treatments are not secure. To control your sql requests, you have to prepare them and check if the variable have special chars.

Documentation about pdo http://php.net/manual/en/pdo.prepare.php

A nice "how to" about the sql injection: http://www.unixwiz.net/techtips/sql-injection.html

Dimitri
  • 922
  • 2
  • 13
  • 34
  • I do prepare them! This isn't really an answer to what I'm asking (not being rude). I'm asking if it's a threat for users to know the column names via viewing the source code and looking at the name attribute value for an input field. Preparing them etc is all basic practice to me :) – jskidd3 Jan 28 '14 at 12:38
  • But you cannot parameterize column names with PDO , Dimi. – Stan Jan 28 '14 at 13:31
  • @jskidd3 How do you ‘prepare’ the column names? – Gumbo Jan 28 '14 at 19:35
  • @Gumbo You cannot prepare them. – Stan Jan 29 '14 at 13:09
  • @Stan No, you can't prepare them with DBMS prepared statements. But you could escape them. – Gumbo Jan 29 '14 at 16:08