Security issues of Web form name Design

Hi, everyone. Today, I want to take over a new project with high security. At present, I have encountered some security problems that I did not think about before when designing the form, that is, how to design the form name. The problem is as follows: 1. If the form is designed as follows, the name attribute is "user_name"... Hi, everyone.

Today, I want to take over a new project with high security. At present, I have encountered some security problems that I did not think about before when designing the form, that is, how to design the form name.

The problem is as follows:

1. If the form is designed as follows,nameIf the attribute is "user_name", isn't the database design guessed by others?

html

2. design the following form. This form name is easy to use and process on the backend. You can obtain all the relevant values directly from $ _ POST ['user. So what are the potential risks of the following form name relative to the form name in 1?

html

3. When designing a form name, it does not directly correspond to the database field name. When the form is submitted to the backend, It is mapped back to the corresponding database field name, to do this, you need to write a lot of code to get the form value.

html

Which of the following is the best choice for security and development efficiency? Or is there another way?

Thank you for your help ~

Reply content:

Hi, everyone.

Today, I want to take over a new project with high security. At present, I have encountered some security problems that I did not think about before when designing the form, that is, how to design the form name.

The problem is as follows:

1. If the form is designed as follows,nameIf the attribute is "user_name", isn't the database design guessed by others?

html

2. design the following form. This form name is easy to use and process on the backend. You can obtain all the relevant values directly from $ _ POST ['user. So what are the potential risks of the following form name relative to the form name in 1?

html

3. When designing a form name, it does not directly correspond to the database field name. When the form is submitted to the backend, It is mapped back to the corresponding database field name, to do this, you need to write a lot of code to get the form value.

html

Which of the following is the best choice for security and development efficiency? Or is there another way?

Thank you for your help ~

How can I guess the database? I think your label is php, and you just need to worry about using PDO for injection.

You can encrypt username and write it to html. When the name in the form is accepted, the decryption will be performed again, so that it can be consistent with the database field.

Map fields on the server. For example, if the input in form is user_name, your database can be nickname.