Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Jan 2011
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Lightbulb If I reveal a table/view, is it safe?

    Hi,

    How safe is it for my site if I pass a table or view name as an argument in the URL? (GET method) I would like to use a single AJAX handler (both JS and PHP) and do the parsing only from the main page.

    If this is not safe, and if I have two different fields using AJAX, how do I make them use the same scripts but different tables?

    Thanks.

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,549
    Thanks
    8
    Thanked 1,095 Times in 1,086 Posts
    It could be safe, but may pose SEO issues, if that's important to you.

    Can you give us more of an example of what you mean?

  • #3
    New Coder
    Join Date
    Jan 2011
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts
    For instance, if I use:

    AJAXHandler.php?table=tablename&args=arglist...

    to handle my AJAX query, the table name is revealed to anyone using a developer's console (in Firefox 4, you can certainly see the URL for the AJAX request)

    If this is unsafe, is there a way around it?

  • #4
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,549
    Thanks
    8
    Thanked 1,095 Times in 1,086 Posts
    Give your MySQL tables names like,
    catalog_7643
    users_7643
    conguration_7643

    Then, append the _7643 after you do the $_GET

    They will only see half of the table name.

  • Users who have thanked mlseim for this post:

    izecul (01-10-2011)

  • #5
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    can you do it using the session?

    store the values in the session and then when running AJAXhandler.php make it get those values from the session?

    bazz
    "The day you stop learning is the day you become obsolete"! - my late Dad.

    Why do some people say "I don't know for sure"? If they don't know for sure then, they don't know!
    Useful MySQL resource
    Useful MySQL link

  • Users who have thanked bazz for this post:

    izecul (01-10-2011)

  • #6
    New Coder
    Join Date
    Jan 2011
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Both ideas sound good.
    I also thought of a third one, whereby I pass a table-specific keyword into my AJAX handler, which then looks up the mapping and queries the corresponding table. But if I use the database, I double the queries per request - and if I use a file, I'll have to check it before proceeding everytime. And if I perform the lookup only once, storing it on a variable client-side, then it's no longer safe again...
    Any thoughts?

  • #7
    Regular Coder adarshakb's Avatar
    Join Date
    Jun 2009
    Location
    Silicon valley of india
    Posts
    247
    Thanks
    11
    Thanked 1 Time in 1 Post
    Both ideas sound good.
    I also thought of a third one, whereby I pass a table-specific keyword into my AJAX handler, which then looks up the mapping and queries the corresponding table. But if I use the database, I double the queries per request - and if I use a file, I'll have to check it before proceeding everytime. And if I perform the lookup only once, storing it on a variable client-side, then it's no longer safe again...
    Any thoughts?
    ..how about you do the querying only once and store it in a session variable.
    ..Or a better solution would be to handcode the array but it wouldnt be dynamic.
    Two things are infinite: the universe and human stupidity; and I'm not sure about the universe.

    Albert Einstein
    -----------------------------------------------------
    My Blog songs

  • #8
    New Coder
    Join Date
    Jan 2011
    Posts
    10
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by adarshakb View Post
    ..how about you do the querying only once and store it in a session variable.
    This sounds feasible, but what would be the impact on the server as traffic goes up?

    ..Or a better solution would be to handcode the array but it wouldnt be dynamic.
    Hand-/hard-coding the array will make the whole thing less flexible. As it is, I am looking for a script I can use on all pages, where the only changes I have to make when I add AJAX lookups is on the arguments for the 'input' tags.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •