CodingForums.com - View Single Post

Old Pedant · 11-12-2012, 09:35 PM

1. Is the idea behind this purely SQL injection security?

Not at all. In fact, it is often done to allow multiple developers to work in the same system without fear they will tread on each other's work. Joe can only use DB Inventory; Mary can only us CustomerInfo database, etc.

But yes, it can be used to improve online security. After all, if the web server is only allowed a certain range of operations, then even somebody who manages to inject or otherwise execute SQL can't do any damage.

2. Every time I switch users it has to re-initialize the connection, right? Should I be concerned about performance loss?

Ummm... I think you are using it wrong if you are switching users based on who logs on to the web site. Most installations have a single user account that is used by all web pages. When there are more than one web site user accounts, it's usually divided by function, not by user. And since a given web page usually only needs to be concerned with a single function (e.g., inventory control, user account management, sales reporting), that page only makes one connection to the DB using the credentials appropriate to the function of that page. IT would be very unusual to have a website where you changed connection info based on what user was logged on. (Well...maybe if you had just a few customers and you only wanted to show data for that customer? But then you would determine the connection at the time they login and use that connection for all other pages. So you still wouldn't CHANGE connections on any pages. I don't think this is necessarily a good way to set up a site, but at least I could imagine it being done.)

11-12-2012, 09:35 PM	PM User \| #2
Old Pedant Supreme Master coder! Join Date: Feb 2009 Posts: 23,162 Thanks: 59 Thanked 3,992 Times in 3,961 Posts	1. Is the idea behind this purely SQL injection security? Not at all. In fact, it is often done to allow multiple developers to work in the same system without fear they will tread on each other's work. Joe can only use DB Inventory; Mary can only us CustomerInfo database, etc. But yes, it can be used to improve online security. After all, if the web server is only allowed a certain range of operations, then even somebody who manages to inject or otherwise execute SQL can't do any damage. 2. Every time I switch users it has to re-initialize the connection, right? Should I be concerned about performance loss? Ummm... I think you are using it wrong if you are switching users based on who logs on to the web site. Most installations have a single user account that is used by all web pages. When there are more than one web site user accounts, it's usually divided by function, not by user. And since a given web page usually only needs to be concerned with a single function (e.g., inventory control, user account management, sales reporting), that page only makes one connection to the DB using the credentials appropriate to the function of that page. IT would be very unusual to have a website where you changed connection info based on what user was logged on. (Well...maybe if you had just a few customers and you only wanted to show data for that customer? But then you would determine the connection at the time they login and use that connection for all other pages. So you still wouldn't CHANGE connections on any pages. I don't think this is necessarily a good way to set up a site, but at least I could imagine it being done.) __________________ An optimist sees the glass as half full. A pessimist sees the glass as half empty. A realist drinks it no matter how much there is.