Does naming your form fields the same as mysql actually pose any security risk?

Question

Is there any reason why you should or shouldn't name your form fields exactly the same as the HTML fields?

<input type="text" name="my_field_1" id="my_field_1" /> --> mysql row my_field_1

or

<input type="text" name="myField1" id="myField1" /> --> mysql row my_field_1

The only thing I can think of are probably naming conventions for HTML vs Mysql (personal preference maybe), as well as slight injection prevention (obviously the field name would have to vary more... but all values should be validated first anyway + the use of real escape string).

Answer 1

The only way I can see this could pose a problem is when the attacker knows the name of a protected column in the same table that is not supposed to be changed through the form, and creates a new input element with that name with the intention of "slipping" the value illegally into the table.

That is something that your program must filter out anyway on program level, so there's no problem with naming form fields after your actual column names. You just need to take care to never loop through every available table column or form field, but be picky about what gets updated.

A secondary, very remote risk is that you are exposing column names in your table. So if you're super-paranoid about security, you may want to give the form fields a name different from their column. But I can't see any real necessity for that.

Answer 2

If you're validating then no, but don't limit validation to just what you expect from the form. What if you have a comment table with an owner column and you blindly build a SQL update statement from all the fields in the form, because you know there's no owner field on there? What happens if I use TamperData, a firefox extension which allows me to add data to a request and I add an owner field?

Don't loop through all the fields and accept them, make sure only fields you expect are there and there are no extras!