Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Sep 2009
    Posts
    167
    Thanks
    15
    Thanked 1 Time in 1 Post

    question about SQL table permissions and security

    Hello,

    I've been working with MySQL. When I set up a new user account, there are a lot of permissions that can be activated or not activated. Things like ADD DELETE INSERT DROP SELECT, etc.

    I'm wondering the following:

    Suppose you have a website that has a search box. Further suppose the MySQL user permission tied to the search box GET/POST form submit is set to SELECT only (meaning the only thing that user account can do to the MySQL database is SELECT).

    Does that mean the search box is safe from SQL injection attack? I would think it would be safe, because the user account only allows it to select information rather than add or drop a table, etc.

    Thanks for any insights.

  • #2
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    Wrong forum, this should be in the MySQL forum.

  • #3
    Regular Coder
    Join Date
    Sep 2009
    Posts
    167
    Thanks
    15
    Thanked 1 Time in 1 Post
    that's a good idea. i'll post the question over there.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    I'll move this instead.
    The problem is what do you have selection privilege to? Remember that SQL Injection is not limited to insertion / deletion / update modifications. What stops me from selecting the information from other tables within your database; perhaps you have users which have clear text passwords (jeez lets hope not).
    So, short answer yes the data couldn't be overwritten with a SELECT only privilege. Long answer, no that still doesn't protect you. You'd be surprised how little selection injection is actually required to gain further control of a website. Just being able to inject to draw a complete database structure is a risk as it now poses additional place to probe for weakness.

    So to more directly answer your question: sure every little bit certainly helps. If you want, make a selection only user. But, always make sure you are taking precautions for SQL injection regardless of what a user's privilege level is.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •