MySQL Select all (*)

[xtremey_ytinasni]

Basically, is this a good idea to use, or rather select only the fields you need for a certain reason. Say I have the fields: uid,uname,upass,usalt, and udisplayname. If a sneaky little .... somehow injected a query that is used for users that are logged in, wouldn't it be better to only have the relevant fields selected? ( In this case, uname,upass,and usalt should only be touched if adding a user, or having a user log in, because beyond that, why would you need something that's purpose is only for authenticating a user? ), or rather select all fields?.

 

I've been wondering this for a while. So if I used my method ( select only relevant fields ), even if a sneaky little .... did inject sql to try and get a certain user's login information, it would not give them that info because those fields are NOT selected, as opposed to selecting all fields, and having that sneaky little .... get ahold of that users info.. Still even if I used uname and upass, they'd still have to figure out that I'm using a unique salt for each user, and that even if 2 users have the same password, theyd need to do seperate rainbow tables for each password.

[blacknight]

if your paranoid run passwords and usernames thru a text matcher for characters you deam not usable like ( ) = ` these are mostly used in sql queries and if used kick the user back with an error

[kicken]

You should select only the fields you need.  Not so much due to security like your thinking, but more due to not wasting resources.  There is no need to transfer all the data from all the fields from mysql to your script if your only going to use one or two of them.  If you just select * in a query where your joining many tables, you could end up transferring a lot of extra unnecessary data.

 

Also, if you have things indexed and you only need the indexed fields, mysql can return the data much faster by looking only at the indexes.  If you select all fields it has to hit the data file to extract all the un-indexed columns data when you don't actually need it.

 

Lastly, it makes it easier to understand your scripts because all the fields your using will be clearly listed in the query, rather than having to guess based on the array keys used throughout the code.

 

 

[laffin]

Too bad there isnt a +1 to users, Love the response

[Muddy_Funster]

limiting your selected fields does not defend against injection attacks as most of them involve breaking out your query and running one that is more usefull to the attacker - have a look here https://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OWASP-DV-005%29 (think I might put that in my sig...).  you need to peoperly sanitise and escape any user data before it hits the database for that.  What it does do is protect you from other script based attacks (as well as what has already been mentioned.