views:

90

answers:

4

How do you name your field names in a web page without revealing the structure of your database tables?

+2  A: 

I assume that you could just rename the input field names if you think this is a problem. You need to link them to the correct SQL columns at some point anyway.

This would be security through obscurity.

Being careful with how you handle input (to avoid SQL injection) in your application sounds like a more sensible approach however.

Martijn Dijksterhuis
+2  A: 

Just name them something else in the HTML, and manually map between the database field names and the HTML field names in your PHP code.

But really, if you're using prepared statements and performing proper authorization and error checking, it shouldn't matter if people know the table field names.

Kaleb Brasee
+1  A: 

If this really is a concern for you then just user field1, field2 (or f1, f2) and map them to your database fields in your lab book. But, unless you're doing database calls from your HTML code, then there's very little that can be gleaned about the database structure itself just by looking at the forms with the field names than without.

codefool
+2  A: 

I usually add a prefix and suffix to sanitization/handling convenience.

For example, if a field must contain just letters, and nothing else, i'll name it tx_field_name, otherwise if can contain filtered html, hf_field_name or full html hx_field_name... the script who'll get the form know how to sanitize and check the values in base of the prefix.

But if your meaning is explicity hide the column's name of the database, well, gave it the name you want, foo, bar, or add random suffixes, or even replace the _ with - (that are allowed in html fields name, but not in database column name)

p.s: i hope that you ARE NOT using a code like

$values = $_POST;
$n_val = count($values);
$i = 0;
foreach($values AS $key => $value){
    $pairs .= " `$key` = '$value' ";
    if($n_val > $i){
        $pairs .= ', ';
    }
}
thedbyouprefer_query("UPDATE table SET $pairs WHERE id = '42'");

to handle the form, but mapping it with php (..and a bit of prepared staements wont be bad)

DaNieL