HTML input names corresponence to database column names: how to protect from possible attacks

Question

When I use PHP + Mysql, I find it convenient to have the same html input names as the database column names. This simplifies the CRUD operations quite a bit.

There is a dilemma, though. On one hand, this one-to-one correspondence simplifies the things, but on the other, an attacker may exploit this correspondence.

If the html input names are different from the DB column names, then, I guess, I should be having some kind of name map, where the html input names are translated into the DB column names, but I think worsens the understandability of the code.

I wonder what people usually do in such cases.

Answer 1

You are describing security through obscurity:

In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.

If you are careful about using real security measures (e.g. restrict access to the database by IP address, use an encrypted connection and a good password, make sure to protect against SQL injection by using prepared statements, etc.) it shouldn't matter if an attacker knows the layout of your database.

If the html input names are different from the DB column names, then, I guess, I should be having some kind of name map, where the html input names are translated into the DB column names, but I think worsens the understandability of the code.

You are right to be concerned about your code's readability. This is much more important than obscuring your database schema.