0
CREATETABLE t_cust_acct (
o_id INT NOT NULL AUTO_INCREMENT,
o_user VARCHAR(12) NOT NULL,
o_pass VARCHAR(12) NOT NULL,
o_mail VARCHAR(255) NOT NULL,
c_0 INT(2) NOT NULL,
c_1 INT(1) NOT NULL,
c_2 INT(1) NOT NULL,
c_3 INT(1) NOT NULL,
c_4 INT(1) NOT NULL,
 PRIMARY KEY ( o_id ),
 UNIQUE (
o_user
),
 CONSTRAINT c_validate CHECK (
c_0 = ( c_1 + c_2 + c_3 + c_4 ) 
))

So for example all field names starting with c_ are meant to be covert and have no representative fields on a HTML form; The form feedback page will generate four random numbers between -9 and 9 on the PHP server and then set the fields c_1 c_2 c_3 and c_4; c_0 will be the sum of these four numbers so that the insert doesn't fail due to the c_validate constraint.

Will this work as intended?

Ozzy
  • 8,244
  • 7
  • 55
  • 95
  • 4
    Don't do this. This won't add much to your security, and is a bit horrifying... Handle validation on the application layer, not the database. – Brad Dec 08 '11 at 19:33
  • 1
    Agree with Brad. Security through Obscurity is not the way to go. You will most likely just create a maintainablity issue for down the road. And if anyone can snag the CREATE statement off your server for the table, it will be obvious how to get around your check. Worry more about your application and your grant tables. – Poodlehat Dec 08 '11 at 19:38
  • Also: assuming `o_pass VARCHAR(12) NOT NULL` is an accurate representation, that wouldn't mean passwords with a maximum length of 12, stored as plaintext... would it? – Dan J Dec 08 '11 at 20:00
  • Haha, no, in the actual thing the passwords would be stored with MD5 encryption – Ozzy Dec 08 '11 at 20:08

1 Answers1

1

Apart from the fact that CHECK constraints are not executed in MySQL, why not just parametrise? And do it properly...

Community
  • 1
  • 1
gbn
  • 422,506
  • 82
  • 585
  • 676
  • I was planning on parametrization as well... I guess this is not neccessary then? EDIT: of course not, you just said check constraints are not executed – Ozzy Dec 08 '11 at 19:39
  • parametrization: yes, use this. Your idea of the "c" columns: useless even if check constraints were honoured because of opaqueness and maintenance – gbn Dec 08 '11 at 19:39