View Full Version : mysql security/injection prevention

04-25-2009, 07:19 AM

I am curious as to some of your security methods to prevent deletion commands etc being entered via your forms/params.

Do you use the same db connection/account for all your scripts or do you use one which has deletion/alter etc disabled and then use another (with deletion etc allowed), when such actions are necessary? If so, I would imagine you make those scripts mega secure with param checking regex's etc?

That's the direction I am thinking I should go and just wonder what you think.

I have had privileges disabled but one of my scripts needs them enabled (alebit behind the cms login) and I don't want this to weaken the security.

04-27-2009, 11:27 PM
Each approach has its merits, but I almost always use a single user with the required rights rather than multiple users with varying rights.

You should always be diligent, in every script, about testing user supplied info to verify that it contains what you expect and nothing more even when the script only does select statements.

04-28-2009, 01:44 AM
Thanks FishMonger.

I understand what you say but I wondered if disabling 'delete' from the privileges would be a sure way to prevent an injection deleting my whole db. Then I realised that one script had to be able to delete and so, I wondered if a specific account for that script might be a good way to go where that script had a 'bells and whistles' approach to checking form and param inputs.

of course, since you imparted your wisdom, (that's not meant to sound sarcastic at all!), I see I need to brush up on O'Reilly and their regex's. ;)

I'll ponder it for a while as I pull together a whole load of 'loose ends'. (or strings :p lol )to get this project done.