Jump to content

Recommended Posts

Basically, is this a good idea to use, or rather select only the fields you need for a certain reason. Say I have the fields: uid,uname,upass,usalt, and udisplayname. If a sneaky little .... somehow injected a query that is used for users that are logged in, wouldn't it be better to only have the relevant fields selected? ( In this case, uname,upass,and usalt should only be touched if adding a user, or having a user log in, because beyond that, why would you need something that's purpose is only for authenticating a user? ), or rather select all fields?.

 

I've been wondering this for a while. So if I used my method ( select only relevant fields ), even if a sneaky little .... did inject sql to try and get a certain user's login information, it would not give them that info because those fields are NOT selected, as opposed to selecting all fields, and having that sneaky little .... get ahold of that users info.. Still even if I used uname and upass, they'd still have to figure out that I'm using a unique salt for each user, and that even if 2 users have the same password, theyd need to do seperate rainbow tables for each password.

Link to comment
https://forums.phpfreaks.com/topic/254925-mysql-select-all/
Share on other sites

You should select only the fields you need.  Not so much due to security like your thinking, but more due to not wasting resources.  There is no need to transfer all the data from all the fields from mysql to your script if your only going to use one or two of them.  If you just select * in a query where your joining many tables, you could end up transferring a lot of extra unnecessary data.

 

Also, if you have things indexed and you only need the indexed fields, mysql can return the data much faster by looking only at the indexes.  If you select all fields it has to hit the data file to extract all the un-indexed columns data when you don't actually need it.

 

Lastly, it makes it easier to understand your scripts because all the fields your using will be clearly listed in the query, rather than having to guess based on the array keys used throughout the code.

 

 

Link to comment
https://forums.phpfreaks.com/topic/254925-mysql-select-all/#findComment-1307121
Share on other sites

limiting your selected fields does not defend against injection attacks as most of them involve breaking out your query and running one that is more usefull to the attacker - have a look here https://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OWASP-DV-005%29 (think I might put that in my sig...).  you need to peoperly sanitise and escape any user data before it hits the database for that.  What it does do is protect you from other script based attacks (as well as what has already been mentioned.

Link to comment
https://forums.phpfreaks.com/topic/254925-mysql-select-all/#findComment-1307192
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.