Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

If my database user is read only, why do I need to worry about sql injection?

Tags:

database

sql-injection

Can they (malicious users) describe tables and get vital information? What about if I lock down the user to specific tables? I'm not saying I want sql injection, but I wonder about old code we have that is susceptible but the db user is locked down. Thank you.

EDIT: I understand what you are saying but if I have no response.write for the other data, how can they see it. The bringing to crawl and dos make sense, so do the others but how would they actually see the data?

like image 874
johnny Avatar asked Aug 11 '09 22:08

johnny

People also ask

Why is it important to worry about SQL injections?

Impact of SQL injection attacks A successful SQL injection attack can have serious consequences for a business. This is because an SQL injection attack can: Expose sensitive data. Attackers can retrieve data, which risks exposing sensitive data stored on the SQL server.

What are the main reasons leading to SQL injection attacks?

The three root causes of SQL injection vulnerabilities are the combining of data and code in dynamic SQL statement, error revealation, and the insufficient input validation.

What is most vulnerable to SQL injection attacks?

Most SQL injection vulnerabilities arise within the WHERE clause of a SELECT query. This type of SQL injection is generally well-understood by experienced testers. But SQL injection vulnerabilities can in principle occur at any location within the query, and within different query types.

Which methods can be used to avoid SQL injection?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

2 Answers

Someone could inject SQL to cause an authorization check to return the equivalent of true instead of false to get access to things that should be off-limits.

Or they could inject a join of a catalog table to itself 20 or 30 times to bring database performance to a crawl.

Or they could call a stored procedure that runs as a different database user that does modify data.

like image 83
Harold L Avatar answered Nov 09 '22 00:11

Harold L

 
'); SELECT * FROM Users

Yes, you should lock them down to only the data (tables/views) they should actually be able to see, especially if it's publicly facing.

like image 21
Scott Whitlock Avatar answered Nov 08 '22 23:11

Scott Whitlock
Sign in to Comment

Related questions

To INSERT INTO a database uniquely by PostgreSQL
Exclude Statement in SQL
Is there a better place to store large amounts of unused data than a the database?
Why does searching an index have logarithmic complexity?
Named user plus, what is this? [closed]
Why would you ever want to store a plain-text or encrypted(not hashed) password in a database?
“Relation” versus “relationship” in RDBMS/SQL?
Recommendation for an in-memory database [closed]
Multiple indexes on one column
How to create initial_data Json fixture for many-to-many relation?
is having millions of tables and millions of rows within them a common practice in MySQL database design?
Using XML files to store data in C#
How to load large table into tableau for data visualization?
Android: Get highest value in column
Can I get all the fields in an item (in Sitecore)?
Logging data without using a normal SQL database?
Installing magento, get database connection error.
Why does Oracle not find oci.dll?
Django 2.0 Populating Database with a Script
Which database has the best XML support?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!