04-22-2011, 11:02 PM
Is there a way for someone to download your entire SQL database - or said another way, is it possible to protect it?
Just interest b/c we are spending a lot of time populating our db and I woudlnt like to think that there is some sort of harvester out there that hackers can execute....
04-23-2011, 01:03 AM
They could only download it if:
-- they somehow got at least FTP access to your server (but if they do that, then they can download everything on the server)
-- you put the directory that contains the db files *inside* the directories that are accessible via HTML *and* allow at least read access to those files by the web server
In short, if you do something really foolish, you are hosed. Use reasonable and customary precautions and you are safe.
04-23-2011, 06:00 AM
A database can be downloaded via SQL Injection too.
04-23-2011, 07:10 AM
Hmmm...not sure how you would do that.
You could certainly issue a command via sql injection, but unless the web server is simply dumping out raw data with now formatting, etc., it would be hard to get any significant amount of data.
Still...it's a good point.
Could be mitigated a lot in various ways. I know some DB shops that only allow the web server user to utilize a certain set of stored procedures. It's pretty draconian, but it's certainly ultra-safe.