...

View Full Version : question about SQL table permissions and security



code beginner
07-27-2011, 04:46 AM
Hello,

I've been working with MySQL. When I set up a new user account, there are a lot of permissions that can be activated or not activated. Things like ADD DELETE INSERT DROP SELECT, etc.

I'm wondering the following:

Suppose you have a website that has a search box. Further suppose the MySQL user permission tied to the search box GET/POST form submit is set to SELECT only (meaning the only thing that user account can do to the MySQL database is SELECT).

Does that mean the search box is safe from SQL injection attack? I would think it would be safe, because the user account only allows it to select information rather than add or drop a table, etc.

Thanks for any insights.

BluePanther
07-27-2011, 10:07 AM
Wrong forum, this should be in the MySQL forum.

code beginner
07-27-2011, 11:59 PM
that's a good idea. i'll post the question over there.

Fou-Lu
07-28-2011, 12:16 AM
I'll move this instead.
The problem is what do you have selection privilege to? Remember that SQL Injection is not limited to insertion / deletion / update modifications. What stops me from selecting the information from other tables within your database; perhaps you have users which have clear text passwords (jeez lets hope not).
So, short answer yes the data couldn't be overwritten with a SELECT only privilege. Long answer, no that still doesn't protect you. You'd be surprised how little selection injection is actually required to gain further control of a website. Just being able to inject to draw a complete database structure is a risk as it now poses additional place to probe for weakness.

So to more directly answer your question: sure every little bit certainly helps. If you want, make a selection only user. But, always make sure you are taking precautions for SQL injection regardless of what a user's privilege level is.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum