Jump to content

Recommended Posts

Greetings,

 

I am working on some online interactive content which main feature is tracking progress of my users. That is, I may have some 10 input textfields into which a user puts some data and clicks "save" to store it in a database. These interactive bits will be scattered all over my pages, so I wanted to implement an easy and universal method of doing it. I already got my model down, but I just wanted to get some opinions on if it has any security issues I am missing on...

 

Basically, each bit will have a set of input fields where each field's id will be a name of a column in my database (MySQL). Then I will also have a hidden input field called "tablename" or something that would give the name of the table. Thus, when a user clicks save, I would take all the data and build my query such as

 

UPDATE tablename SET textfield1 = value1, textfield2 = value2, textfield3 = value3 etc...

 

Now I am not worried about the input (I already check it for injections), what I am worried about is someone editing my page code and actually changing the tablename and textfield ids to inject code. Obviously I would also run those through my injection checker which would basically limit these values to only alphanumeric characters (meaning you couldn't put spaces or ; to inject a new command). However, I am still not sure if this would be safe enough.

 

I could make it safe by checking the actual names in my php code with some pre-built array to ensure they weren't tempereded with, but I want to make this whole system as simple and easy to use implement as possible.

 

Thanks

 

Well to be honest I think that's a design that's asking to be tampered with. I mean someone might be able to put data into a table they shouldn't be able to access if they get it's name.

 

What I would recommend I guess to read http://www.phpfreaks.com/quickcode/Check-if-a-table-exists/665.php

 

You could possibly encrypt the table $name . "|" . $sessionid in the hidden field then decrypt it and see if it's a valid alphanumeric response then check if that table exists using the tutorial above and the sessionid after the | is actually the user logged in or something like that.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.