PHP form name security vulnerability?

StackOverflow https://stackoverflow.com/questions/21405515

  •  03-10-2022
  •  | 
  •  

Pergunta

I'm a junior PHP developer currently working on a project with a small team. It's the first time I've worked in a team on a project so I'm learning lots and building team working skills.

There is one specific thing I noticed that my fellow developers do and I believe could be a large security risk. When creating forms they will give the input name the column name in the database. This means that wherever the data is posted they can use a nifty for each loop going through the POST array. Sure, it's pretty and easy, but do I want users to see the names of columns?

I'm not sure if it does pose a security risk (first thing I think of is SQL injection) but if it does what can be done?

I suppose you could possibly hash the names of the inputs? Still, that's not totally 100% secure. What if in the form page the names are things like 'apple64', 'banana99', 'chickens' and then in the PHP file they're converted to their corresponding column names?

The point of my question is to find general practice for this (possible) security vulnerability.

Foi útil?

Solução

Such a general practice is called "whitelisting".

You are positively right about this vulnerability. And for a junior developer you have a very good eye. As a matter of fact, most people who call themselves "professionals" never bother themselves with such questions.

So, to prevent an ordinary SQL injection and also to prevent random access to table fields (a user may be disallowed to some of them), you have to verify your post data against a pre-written whitelist.

Here you can see my approach for either classic mysql or PDO as an example.

Outras dicas

When you develop, you have to give to user the minimal informations. Headers / DB name / Column name etc..

The risk of the sql injection exist if your form treatments are not secure. To control your sql requests, you have to prepare them and check if the variable have special chars.

Documentation about pdo http://php.net/manual/en/pdo.prepare.php

A nice "how to" about the sql injection: http://www.unixwiz.net/techtips/sql-injection.html

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top