designtrooper — 2014-02-27T09:03:47-05:00 — #1
At first glance this topic seems to belong in another forum but the reason I am posting here will become apparent later.
I have a table in my app where one column is named staffID.
That being said,what is contained in that column(the values I mean) are placed as values in the data attribute of an in input element.
The data attribute has the name data-staffID and I need in order to run update queries on the server side.
Elaborating a little,the value that is contained in data-staffID is sent to the server via ajax.Here is an example:
?><input class='text' size='40' data-staffid='<?php echo $value['staff_ID']; ?>' value='<?php echo $value['name']; ?>' type="text" name="name">
I am afraid though that giving such a name to the data attribute will raise security issues.
Changing it maybe to a non so obvious name I think it would be a solution.
What do you think in general about the problem I describe above?
I want to here some opinions.
felgall — 2014-02-27T20:06:28-05:00 — #2
What you name a field has no effect on security. The only thing that can affect security is the value being stored in the field (such as if you encrypt the value before using it in the page and decrypt it again if it is passed back to the server..
designtrooper — 2014-02-27T23:55:54-05:00 — #3
well, the reason I said that it might raise security issues is that if the name stays as it is now(staffIF)might make suspicious someone that this refers to a table column name.
Of course I can always change the name.
Lastly I agree about encrypting the value,which in the bottom line it is the cause of security concerns.
mittineague — 2014-02-28T00:12:04-05:00 — #4
:fangel: you say this is a database topic but then go on to "security by obscurity" (which is no security).
The security won't come from the names you use but
method used for the query
method used to retrieve and display results
field restrictions eg. unique, max length
Though field datatype can be important (IMHO more for preserving integrity, not security), how you go about handling the data is most important
designtrooper — 2014-02-28T13:16:46-05:00 — #5
Those two above I do not think they apply here.This Id I am refering to is not entered in a form by the user but embedded in an html input element as a data- attribute that had been previously taken by the a database table.
felgall — 2014-02-28T16:10:43-05:00 — #6
That's precisely what sanitization is for - fields that the user is not supposed to touch but where they could. Basically it means stripping out any invalid characters. As the untouched field will not contain invalid characters it will pass straight through but if someone tampers with it in an attempt to break security then at least part of their code will be stripped out.
Validate user inputs.
Sanitize inputs from all other sources.