php - Does naming your form fields the same as mysql actually pose any security risk? -

-

Is there any reason why you should name your form fields as HTML fields or not? 

  & lt; Input type = "text" name = "my_field_1" id = "my_field_1" /> - & gt; Mysql line my_field_1

or 

  & lt; Input type = "text" name = "myField1" id = "myField1" /> - & gt; Mysql row my_field_1

I can think that only one thing is probably naming conventions for HTML versus MyScall (personal preference), as well as prevention of minor injections (obviously the area's Name must be changed too much ... but all the values ​​must be valid before also + use the real escape strings.)

The only way I can see that it can cause a problem when the attack A common table identifies the name of a protected column that should not be changed through the form, and intends to have a new input element with that name, "slipping" illegally in the table.

This is a program that should filter your program in any way, so there is no problem in your actual column After the names, the Farming Naming Field does not need to take care of the loop any time through every available table column or form field , but the updates that are being updated need to be selected. .

A secondary, very minimal risk is to highlight column names in your table, so if you are over-confused about security, then you give the form field a different name than their column Want to But I can not see any real need for it.


Comments

Post a Comment

Popular posts from this blog

oracle - The fastest way to check if some records in a database table? -

-
I have a big table to work with. I have to see that there are some records whose parent_id is equal to my passing value. Currently I do this by implementing "my_table using select count (*) where parent_id =: id"; If the result> 0, it means that they exist. Because this is a very large table, and I do not care what the actual number of records present, I just want to know if it exists, so I think count (*) Bit is disabled. How do I apply this requirement most quickly? I'm using Oracle 10. # Tips for Hibernation & amp; Tricks It suggests writing in such a way: Integer number = (integer) session .createQuery ("Select Count (*) to ...."). UniqueResult (); I do not know what is the magic of the unique rule? Why does it fast? To compare, select "1 from mytable where parent_id = passId and rowrum", which is more efficient? If you are not interested in the number of records, then there is an EXISTS query one: Select 'y'
Read more

php - multilevel menu with multilevel array -

-
Just ask someone to solve this problem? I want to create a multilevel menu I can not find the right solution generated with multilevel array, it always gets an array_push error My study came from the original idea But still my Can not match the need. This is my MySQL [code] ----- --------------------- --------------- | ID | PARENT_ID | Name | Link | Seq | 1 | 0 | Dashboad | Dashboard / | 1 | 2 | 0 | Menu 1 | Menu 1 / | 2 | 3 | 0 | Menu 2 | Menu 2 / | 3 | 4 | 0 | Menu 3 | Menu 3 / | 4 | 5 | 2 | Joint Add / | 1 | 6 | 3 | Joint Add / | 1 | 7 | 2 | Edit | Edit / | 2 | 8 | 4 | Joint Add / | 1 ------------------------------------------ [/ Code] I want to do something like this in my array array ('dashboard' = & gt; array ('id' = & gt; '' 'Dame' = & gt; 'Dashboard', 'Title' = & gt; 'Dashboard', 'MatchMin' = & gt; Base_URL (). 'Dashboard /', 'Active' => = & Gt; NULL), &
Read more

jQuery UI: Datepicker month format -

-
I am trying to change the format of the month that shows in the popup (not in the date that the picker actually I do not have any choice anywhere to do this, do I like to use a sub-string () or something else? What I normally display is Trying to change: Class = "ui-datepicker-title"> January & lt; / span & gt; ... & lt; / div & gt; Div>
Read more