Koobazaur Posted August 29, 2007 Share Posted August 29, 2007 Greetings, I am working on some online interactive content which main feature is tracking progress of my users. That is, I may have some 10 input textfields into which a user puts some data and clicks "save" to store it in a database. These interactive bits will be scattered all over my pages, so I wanted to implement an easy and universal method of doing it. I already got my model down, but I just wanted to get some opinions on if it has any security issues I am missing on... Basically, each bit will have a set of input fields where each field's id will be a name of a column in my database (MySQL). Then I will also have a hidden input field called "tablename" or something that would give the name of the table. Thus, when a user clicks save, I would take all the data and build my query such as UPDATE tablename SET textfield1 = value1, textfield2 = value2, textfield3 = value3 etc... Now I am not worried about the input (I already check it for injections), what I am worried about is someone editing my page code and actually changing the tablename and textfield ids to inject code. Obviously I would also run those through my injection checker which would basically limit these values to only alphanumeric characters (meaning you couldn't put spaces or ; to inject a new command). However, I am still not sure if this would be safe enough. I could make it safe by checking the actual names in my php code with some pre-built array to ensure they weren't tempereded with, but I want to make this whole system as simple and easy to use implement as possible. Thanks Quote Link to comment Share on other sites More sharing options...
lightningstrike Posted August 29, 2007 Share Posted August 29, 2007 Well to be honest I think that's a design that's asking to be tampered with. I mean someone might be able to put data into a table they shouldn't be able to access if they get it's name. What I would recommend I guess to read http://www.phpfreaks.com/quickcode/Check-if-a-table-exists/665.php You could possibly encrypt the table $name . "|" . $sessionid in the hidden field then decrypt it and see if it's a valid alphanumeric response then check if that table exists using the tutorial above and the sessionid after the | is actually the user logged in or something like that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.