0

I have always wondered when you do web forms on your website whether it is sign up forms or search field, you give away your field name so is that a security risk or no? What's the best way to prevent that?

E.g: <input name="person_name">

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
AAA
  • 3,120
  • 11
  • 53
  • 71

2 Answers2

1

It is not a security risk, it is just a name that becomes the key part in the params.

alex
  • 479,566
  • 201
  • 878
  • 984
  • isn't it better if in the form i used a different name say "field1" and then in the process page use $name = mysql_real_escape_string($_POST['field1']); and use that variable to insert into person_name? – AAA Oct 24 '11 at 12:27
1

Please don't try to prevent SQL injection attacks by escaping characters. Use the PDO API to create parameterized queries. See the PDO manual on Prepared Statements

Not using the same database column names and HTML form field names is security by obscurity at best.

Jonas Høgh
  • 10,358
  • 1
  • 26
  • 46
  • can you post this as a reply-comment to AAA and not as an answer to the OP's original question, please. – Cheekysoft Oct 24 '11 at 12:59
  • OK i read that but i sort of have some questions. Doesn't escape_string prevent those malicious attacks. I just did a 1=1 for a where query and also used some code to see what would happen. My script didn't display anything. So what is the reason i should use PDO? i am not questioning its validity but just want to know more. – AAA Oct 24 '11 at 13:32
  • @AAA There are many corner cases with exotic characters / encodings where escaping is not enough. See e.g. this question: http://stackoverflow.com/questions/1220182/does-mysql-real-escape-string-fully-protect-against-sql-injection – Jonas Høgh Oct 24 '11 at 13:49
  • 1
    @AAA using bound parameters (such as provided by the PDO or Mysqli libraries) will truly seperate data from code such that sql injection is completely impossible. By generating SQL by appending (or interpolating) strings together, you take the risk that your encoding/escaping policy leaves a hole that some attack vector that you didn't consider can get through. Also they can be easy to misuse (e.g. aplying mysql_real_escape_string to an integer value). Bound parameters completely 100% removes the risk (and normally makes your app faster, as the queries are pre-compiled by the db). – Cheekysoft Oct 26 '11 at 11:56