Koobazaur Posted August 29, 2007 Share Posted August 29, 2007 Greetings, I am working on some online interactive content which main feature is tracking progress of my users. That is, I may have some 10 input textfields into which a user puts some data and clicks "save" to store it in a database. These interactive bits will be scattered all over my pages, so I wanted to implement an easy and universal method of doing it. I already got my model down, but I just wanted to get some opinions on if it has any security issues I am missing on... Basically, each bit will have a set of input fields where each field's id will be a name of a column in my database (MySQL). Then I will also have a hidden input field called "tablename" or something that would give the name of the table. Thus, when a user clicks save, I would take all the data and build my query such as UPDATE tablename SET textfield1 = value1, textfield2 = value2, textfield3 = value3 etc... Now I am not worried about the input (I already check it for injections), what I am worried about is someone editing my page code and actually changing the tablename and textfield ids to inject code. Obviously I would also run those through my injection checker which would basically limit these values to only alphanumeric characters (meaning you couldn't put spaces or ; to inject a new command). However, I am still not sure if this would be safe enough. I could make it safe by checking the actual names in my php code with some pre-built array to ensure they weren't tempereded with, but I want to make this whole system as simple and easy to use implement as possible. Thanks Link to comment https://forums.phpfreaks.com/topic/67169-simple-database-storing-system-security-concerns/ Share on other sites More sharing options...
lightningstrike Posted August 29, 2007 Share Posted August 29, 2007 Well to be honest I think that's a design that's asking to be tampered with. I mean someone might be able to put data into a table they shouldn't be able to access if they get it's name. What I would recommend I guess to read http://www.phpfreaks.com/quickcode/Check-if-a-table-exists/665.php You could possibly encrypt the table $name . "|" . $sessionid in the hidden field then decrypt it and see if it's a valid alphanumeric response then check if that table exists using the tutorial above and the sessionid after the | is actually the user logged in or something like that. Link to comment https://forums.phpfreaks.com/topic/67169-simple-database-storing-system-security-concerns/#findComment-337180 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.