SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2013
    Location
    Greece
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    data attribute and security considerations

    At first glance this topic seems to belong in another forum but the reason I am posting here will become apparent later.
    I have a table in my app where one column is named staffID.

    That being said,what is contained in that column(the values I mean) are placed as values in the data attribute of an in input element.
    The data attribute has the name data-staffID and I need in order to run update queries on the server side.

    Elaborating a little,the value that is contained in data-staffID is sent to the server via ajax.Here is an example:
    HTML Code:
       ?><input class='text' size='40' data-staffid='<?php echo $value['staff_ID']; ?>'  value='<?php  echo $value['name']; ?>' type="text" name="name">
    I am afraid though that giving such a name to the data attribute will raise security issues.
    Changing it maybe to a non so obvious name I think it would be a solution.

    What do you think in general about the problem I describe above?
    I want to here some opinions.

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,810
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    What you name a field has no effect on security. The only thing that can affect security is the value being stored in the field (such as if you encrypt the value before using it in the page and decrypt it again if it is passed back to the server..
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2013
    Location
    Greece
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    What you name a field has no effect on security. The only thing that can affect security is the value being stored in the field (such as if you encrypt the value before using it in the page and decrypt it again if it is passed back to the server..
    well, the reason I said that it might raise security issues is that if the name stays as it is now(staffIF)might make suspicious someone that this refers to a table column name.
    Of course I can always change the name.

    Lastly I agree about encrypting the value,which in the bottom line it is the cause of security concerns.

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,156
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    you say this is a database topic but then go on to "security by obscurity" (which is no security).

    The security won't come from the names you use but

    Code:
    validation
    sanitation
    method used for the query
    method used to retrieve and display results

    Database
    field datatype
    field restrictions eg. unique, max length

    Though field datatype can be important (IMHO more for preserving integrity, not security), how you go about handling the data is most important

  5. #5
    SitePoint Enthusiast
    Join Date
    Jan 2013
    Location
    Greece
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    you say this is a database topic but then go on to "security by obscurity" (which is no security).

    The security won't come from the names you use but

    Code:
    validation
    sanitation
    Those two above I do not think they apply here.This Id I am refering to is not entered in a form by the user but embedded in an html input element as a data- attribute that had been previously taken by the a database table.

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,810
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by designtrooper View Post
    This Id I am refering to is not entered in a form by the user but embedded in an html input element as a data- attribute that had been previously taken by the a database table.
    That's precisely what sanitization is for - fields that the user is not supposed to touch but where they could. Basically it means stripping out any invalid characters. As the untouched field will not contain invalid characters it will pass straight through but if someone tampers with it in an attempt to break security then at least part of their code will be stripped out.

    Validate user inputs.
    Sanitize inputs from all other sources.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •