Is there a security risk in exposing MySQL tables names in javascript?

Question

I have an ajax method that esentially works like this

function getRow(tableName, idName, idValue, callback)

The obvious benefit of this is that I have one function that can retrieve data from any table. However, this just feels wrong from a security perspective, is it a security risk to do so? The corresponding PHP files that actually read/manipulate the database are secured through a prior authentication process, so theoretically, the visibility of table names in a vacuum shouldn't be a risk (not to mention that the database only accepts localhost connections), but I wonder if there isn't a better/prettier way to accomplish this.

Edit: Just to clarify the authentication process, user/role security prevents access to all tables except those explicitly allowed for the user.

Answer 1

If you're sure that you have no SQL injection vulnerabilities, and that you never will, it's fine.

If you do have a SQL injection vulnerability, it will make the attacker's job somewhat easier.

It goes without saying ^{(I hope)} that the server-side script must use a whitelist of tables and columns that can be exposed via this method.

Answer 2

Tables names alone aren't that bad, however, the API you seem to be making may not be the best idea...

Think carefully about if there are some tables that people shouldn't be able to query, because from the looks of it, I could query any table in your database from the client side. For example:

getRow('users', 'id', '7', function(data){console.log(data)})

What if the users table returns their password? even if it is hashed, thats not good. Or their email? What if I want to harvest all of the users emails? Pretty easy script I could write to do that.

Answer 3

It is a risk because it provides information to attackers. It's the same as providing the software version of software that you are using. It is not a vulnerability per se, but it's a door to vulnerabilities.

Answer 4

This is a really bad idea.

For instance lets say you are using this code:

$table_name=mysql_real_escape_string($_GET['table']);
$id_name=mysql_real_escape_string($_GET['idname']);
$id_value=mysql_real_escape_string($_GET['idvalue']);

mysql_query("select * from `$table_name` where `$id_name`='$id_value'");

This can be exploited a number of ways:

NOT SQL Injection

This query will return the root user in mysql.user, and this is

?table=mysql.user&idname=user&idvalue=root This request will create the query:

select * frommysql.userwhereuser='root'

SQL Injection:

This works because mysql_real_escpae_string does not escape back-ticks:``

?table=`table where 1 union select * from mysql.user/*&idname=junk&idvalue=junk