tags:

views:

90

answers:

4
+4  Q: 

Naming form fields in a web page

How do you name your field names in a web page without revealing the structure of your database tables?

+2  A: 

I assume that you could just rename the input field names if you think this is a problem. You need to link them to the correct SQL columns at some point anyway.

This would be security through obscurity.

Being careful with how you handle input (to avoid SQL injection) in your application sounds like a more sensible approach however.

Martijn Dijksterhuis  2009-12-11 04:11:11
+2  A: 

Just name them something else in the HTML, and manually map between the database field names and the HTML field names in your PHP code.

But really, if you're using prepared statements and performing proper authorization and error checking, it shouldn't matter if people know the table field names.

Kaleb Brasee  2009-12-11 04:13:06
+1  A: 

If this really is a concern for you then just user field1, field2 (or f1, f2) and map them to your database fields in your lab book. But, unless you're doing database calls from your HTML code, then there's very little that can be gleaned about the database structure itself just by looking at the forms with the field names than without.

codefool  2009-12-11 04:14:07
+2  A: 

I usually add a prefix and suffix to sanitization/handling convenience.

For example, if a field must contain just letters, and nothing else, i'll name it tx_field_name, otherwise if can contain filtered html, hf_field_name or full html hx_field_name... the script who'll get the form know how to sanitize and check the values in base of the prefix.

But if your meaning is explicity hide the column's name of the database, well, gave it the name you want, foo, bar, or add random suffixes, or even replace the _ with - (that are allowed in html fields name, but not in database column name)

p.s: i hope that you ARE NOT using a code like

$values = $_POST;
$n_val = count($values);
$i = 0;
foreach($values AS $key => $value){
    $pairs .= " `$key` = '$value' ";
    if($n_val > $i){
        $pairs .= ', ';
    }
}
thedbyouprefer_query("UPDATE table SET $pairs WHERE id = '42'");

to handle the form, but mapping it with php (..and a bit of prepared staements wont be bad)

DaNieL  2009-12-11 06:43:45

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases