DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Show table fields, could it be a security problem?

Show table fields, could it be a security problem?

jabberjabber Posts: 23Questions: 1Answers: 0
edited March 2012 in General
Question posted here http://datatables.net/forums/discussion/comment/29613#Comment_29613) by johnadamsy.
See below:

[code]
oTable = $('#grid-jquery-datatables').dataTable( {
"aoColumns":[
{ "mDataProp": "id" , .... },
{ "mDataProp": "name", ... },
{ "mDataProp": "age", ... }
],
....
[/code]

For security reason, can be dangerous to show table attributes as in JS code?
What do you think about?

Replies

  • allanallan Posts: 63,542Questions: 1Answers: 10,476 Site admin
    I can't see why it would be - it would be trivial to look at Firebug to see what is in the JSON and thus determine what is in the payload - possibly easier doing it that way than looking at the source for the DataTables init. What aspect of it would be a security issue? If they had access to your database then perhaps, but at that point, they would already have all the information needed and not need to gather it from here!

    Allan
  • jabberjabber Posts: 23Questions: 1Answers: 0
    Obvious, less i make known detail on our database, better is for our database security.
    For example, think about SQL injection.
  • allanallan Posts: 63,542Questions: 1Answers: 10,476 Site admin
    Fair enough :-). You can obfuscate the names of the columns as much as you want - indeed you could even sha1 sum them or similar. It might make development a little bit harder, but there is no requirement for you to use the db column names - I tend to just do it for ease of development.

    Allan
  • jabberjabber Posts: 23Questions: 1Answers: 0
    Can you be more explicit, please ?
    I'm not an expert of datatables "usages", why is there no requirement to use column names?
    Is there an alternative ? (I think about this now)

    Thank you
  • allanallan Posts: 63,542Questions: 1Answers: 10,476 Site admin
    I just mean that if you have a JSON feed that looks like this:

    [code]
    [
    { "col1": 1, "col2": 2 }
    ]
    [/code]

    why not just call the fields something else?

    [code]
    [
    { "myFirstColumn": 1, "mySecondColumn": 2 }
    ]
    [/code]

    DataTables doesn't care what you call your db columns, it is only concerned about the names of the fields in the JSON feed, and you can easily translate the db columns names to something else if you are really worried about someone knowing what the field names are (but then, the server should be able to cope with SQL injection attacks anyway, so it shouldn't really matter!).

    Allan
This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.