If I reveal a table/view, is it safe?

izecul · 01-08-2011, 07:55 PM

Hi,

How safe is it for my site if I pass a table or view name as an argument in the URL? (GET method) I would like to use a single AJAX handler (both JS and PHP) and do the parsing only from the main page.

If this is not safe, and if I have two different fields using AJAX, how do I make them use the same scripts but different tables?

Thanks.

mlseim · 01-08-2011, 08:36 PM

It could be safe, but may pose SEO issues, if that's important to you.

Can you give us more of an example of what you mean?

izecul · 01-08-2011, 08:49 PM

For instance, if I use:

AJAXHandler.php?table=tablename&args=arglist...

to handle my AJAX query, the table name is revealed to anyone using a developer's console (in Firefox 4, you can certainly see the URL for the AJAX request)

If this is unsafe, is there a way around it?

mlseim · 01-08-2011, 09:14 PM

Give your MySQL tables names like,
catalog_7643
users_7643
conguration_7643

Then, append the _7643 after you do the $_GET

They will only see half of the table name.

bazz · 01-08-2011, 09:22 PM

can you do it using the session?

store the values in the session and then when running AJAXhandler.php make it get those values from the session?

bazz

izecul · 01-10-2011, 05:55 AM

Both ideas sound good.
I also thought of a third one, whereby I pass a table-specific keyword into my AJAX handler, which then looks up the mapping and queries the corresponding table. But if I use the database, I double the queries per request - and if I use a file, I'll have to check it before proceeding everytime. And if I perform the lookup only once, storing it on a variable client-side, then it's no longer safe again...
Any thoughts?

adarshakb · 01-10-2011, 08:07 AM

Quote:

Both ideas sound good.
I also thought of a third one, whereby I pass a table-specific keyword into my AJAX handler, which then looks up the mapping and queries the corresponding table. But if I use the database, I double the queries per request - and if I use a file, I'll have to check it before proceeding everytime. And if I perform the lookup only once, storing it on a variable client-side, then it's no longer safe again...
Any thoughts?

..how about you do the querying only once and store it in a session variable.
..Or a better solution would be to handcode the array but it wouldnt be dynamic.

izecul · 01-10-2011, 12:25 PM

Quote:

Originally Posted by adarshakb

..how about you do the querying only once and store it in a session variable.

This sounds feasible, but what would be the impact on the server as traffic goes up?

Quote:

..Or a better solution would be to handcode the array but it wouldnt be dynamic.

Hand-/hard-coding the array will make the whole thing less flexible. As it is, I am looking for a script I can use on all pages, where the only changes I have to make when I add AJAX lookups is on the arguments for the 'input' tags.