Does having a bad table and column naming convention is a good protection against Sql injection_问答_开发者

Does having a bad table and column naming convention is a good protection against Sql injection

开发者 https://www.devze.com 2023-03-28 08:33 出处：网络

An hacker have much more chance to try to i开发者_如何学JAVAnject this query: \') DELETE FROM Users --

相关专题：sql tsql

An hacker have much more chance to try to i开发者_如何学JAVAnject this query:

') DELETE FROM Users --

then this one:

') DELETE From Blargblarbglbglab--

Does having a bad table and column naming convention is a good additional protection against Sql injection.

Not a good technique / tactic, aside from making your own life very difficult - if you have a vulnrability that allows them to query tables and see the results in some form, they can inject a query to look in the information_schema views / tables.

So the bad naming only get's in your own way, it doesn't make it impossible for a hacker to find out the table names.

Protect against it properly with the right coding practises.

I found this article and it explains how to prevent SQL Injection attacks quite nicely :o)

MySQL - SQL Injection

If a hacker has managed to attack your site, they'll be able to access the system tables so it doesn't really matter what or how you name tables/columns. It is best to try and avoid SQL injection hacks.

I don't think this may stop a good hacker. Over the net you can find many better solutions for your query. If you don't have any experience, in the wikipedia.org there is a suitable description and lots of links.

For a proper protection against SQL injection, you need to make sure the "hacker" cannot execute any database query of his own.

you should not name variables on querystring equal to columns on DB in order to do not give sensitive data to everybody. Apart from this, always sanitize your inputs

Your users should never be able to execute any queries, and bad table names should therefore only confuse you.

Short answer: technically yes, but it is a bad idea. Technically, a shovel full of dirt can stem the flood, but it will still destroy you in the end. Long answer: You always have to escape your data. ALWAYS. No exceptions, EVER.

Funny table names will only hurt your development time and increase your technical debt far more than any benefit this could possibly have. It will cost you time and it probably will lead to an increase in the number of bugs as it definitely is harder to remember.