Simple database storing system - security concerns

[Koobazaur]

Greetings,

 

I am working on some online interactive content which main feature is tracking progress of my users. That is, I may have some 10 input textfields into which a user puts some data and clicks "save" to store it in a database. These interactive bits will be scattered all over my pages, so I wanted to implement an easy and universal method of doing it. I already got my model down, but I just wanted to get some opinions on if it has any security issues I am missing on...

 

Basically, each bit will have a set of input fields where each field's id will be a name of a column in my database (MySQL). Then I will also have a hidden input field called "tablename" or something that would give the name of the table. Thus, when a user clicks save, I would take all the data and build my query such as

 

UPDATE tablename SET textfield1 = value1, textfield2 = value2, textfield3 = value3 etc...

 

Now I am not worried about the input (I already check it for injections), what I am worried about is someone editing my page code and actually changing the tablename and textfield ids to inject code. Obviously I would also run those through my injection checker which would basically limit these values to only alphanumeric characters (meaning you couldn't put spaces or ; to inject a new command). However, I am still not sure if this would be safe enough.

 

I could make it safe by checking the actual names in my php code with some pre-built array to ensure they weren't tempereded with, but I want to make this whole system as simple and easy to use implement as possible.

 

Thanks

 

[lightningstrike]

Well to be honest I think that's a design that's asking to be tampered with. I mean someone might be able to put data into a table they shouldn't be able to access if they get it's name.

 

What I would recommend I guess to read http://www.phpfreaks.com/quickcode/Check-if-a-table-exists/665.php

 

You could possibly encrypt the table $name . "|" . $sessionid in the hidden field then decrypt it and see if it's a valid alphanumeric response then check if that table exists using the tutorial above and the sessionid after the | is actually the user logged in or something like that.