--- title: "FOR XML Security Considerations (SQLXML 4.0) | Microsoft Docs" ms.custom: "" ms.date: "03/06/2017" ms.prod: "sql-server-2016" ms.reviewer: "" ms.suite: "" ms.technology: - "dbe-xml" ms.tgt_pltfrm: "" ms.topic: "reference" helpviewer_keywords: - "NESTED mode" - "client-side XML formatting" - "FOR XML clause, security" - "server-side XML formatting" - "AUTO mode" - "security [SQLXML], FOR XML" ms.assetid: facba279-df93-475b-ad43-0043dc5bae03 caps.latest.revision: 23 author: "douglaslMS" ms.author: "douglasl" manager: "jhubbard" --- # FOR XML Security Considerations (SQLXML 4.0) The FOR XML AUTO mode generates an XML hierarchy in which element names map to table names and attribute names map to column names. This exposes the database table and column information. You can hide the database information when you use AUTO mode (server-side formatting) by specifying table and column aliases in the query. These aliases are returned in the resulting XML document as element and attribute names. For example, the following query specifies AUTO mode; therefore, the XML formatting is done on the server: ``` SELECT C.FirstName as F,C.LastName as L FROM Person.Contact C FOR XML AUTO ``` In the resulting XML document, the aliases are used for element and attribute names: ``` ... ``` When you use NESTED mode (client-side formatting), aliases are returned only for attributes in the resulting XML document. The names of the base tables are always returned as element names. For example, the following query specifies NESTED mode. ``` SELECT C.FirstName as F,C.LastName as L FROM Person.Contact C FOR XML AUTO ``` In the resulting XML document, the names of the base tables are returned as element names and table aliases are not used: ``` ... ```