Is it insecure to....

spstieng

... use table fieldnames as form field names?

I'm creating SQL statements dynamically.

E..g. I have a form where the form field names has the same name as the table fields.

<form name="updateOrganization" action="update.php" method="post">
  <input name="orgID" />
  <input name="orgName" />
</form>

Table Organization has orgID and orgName as fields.

Now in update.php I have

	$query =' UPDATE organization SET ';

foreach($_POST as $key => $value) 
{
  if ($value)
  {  $query.= $key.' = "'.$value.'",';  }
  else
  {  $query.= $key.' = NULL,';  }
}

$query = substr($query, 0,-1);
$query.=' WHERE orgID = "'.$_orgID.'"';

Is it "safe" to display the table names in the HTML file?

Diomedes

Obviously, you MUST NEVER REVEAL any bit of information about your database!.... Thus, your solution, even if very quick for smart developing, it could be extremely dangerous. A smart cracker can use the HTML source to get the necessary coordinates to attack your website at the very core! Indeed, a cracker usually tries the simplest solutions to attack a domain. For example, to login to a MS SQL Server like "sa", which is the default admin username a skilled user must change before using the database in internet.
It's unbelieveable how such incredible mistakes really spread along the web.
Every info we can hide has to be hidden. As the Murphy's Law says, if something can get wrong it will get wrong...
Think always like that when you program for the web and your code will be much more secure....

laserlight

To be honest, it is safe, assuming that your queries are safe from SQL injection.

Using some other name doesnt hurt, of course, but only provides extra security through obscurity, not real security.

Diomedes

Isn't insecure to make available the database table names? Well, it means that I'm a bit paranoic about security, after all. But I've heard about a lot of crackers that managed to break databases knowing the structure. It happened beacuse of some design mistakes like wrong permissions administration, easily guessable usernames (even that of the superadministrator!!...) and other.
In fact, hiding table names is not a real security issue, but I supposed that it was better to do that.