I am using CodeIgniter for database access, but I have a security concern.
$q = $this->db->query("SELECT * FROM mytable WHERE id = '$p'");
return $q->result();
When I load the result array into my view, I JSON-encode the payload and write it into the page output.
I feel that leaking the schema details is bad practice since it would give malicious users insights relevant details about my backend.
How can I avoid displaying table field names?
You can strip the table field names by changing your return statement to:
return array_values($q->result_array());
Better ways would be to parse the results:
$q = $this->db->query("SELECT* FROM mytable WHERE id = '$p'");
$result = $q->result();
$values[] = $result['id'];
$values[] = $result['column1'];
$values[] = $result['column2'];
return $values;
or specify which columns you need in the SQL statement in case the schema changes:
SELECT id, column1, column2 FROM mytable WHERE id = '$p'
Finally, as allen213 mentioned, you should use bindings to prevent injection attacks:
$sql = 'SELECT * FROM mytable WHERE id = ?';
$q = $this->db->query($sql, array($p));