I have been working with someone who has used AJAX to call results from a database to refresh a results table as oppose to reloading the HTML page.
The data is being sent as JSON from a PHP script but this is exposing the field names used in the SQL database.
Is this something to worry about in terms of security? Personally I do not feel comfortable with the filed names being visible on the client side.
Maybe this is just the way things are done now, or is there something that can be done in PHP that will reduce any potential risk?
You can easily hide things like that. You can for example call getData.php?type=employees and retrieve the data by reacting on the type value.
Of course you have to use aliases in the query to hide real fields name.
Example:
select employee__name as Name from employees
I never reveal fields names in a client script.