|
|
Posted by Pat on 01/08/06 14:12
Thanks
"Dikkie Dik" <"' OR 1=1 LIMIT 1-- haha"@haha.com> schreef in bericht
news:dpp7pb$67m$1@news.cistron.nl...
>> i wrote a webapplication with mysql database. In the PHP code, i use user
>> 'root' in the mysql_connect command.
>>
>> The user of the application is limited to the application and cannot
>> delete or alter a table, only update, delete and insert the tables.
>>
>> Is it a good practise to do so, or is it better to define a "anonymous"
>> user with limited rights?
>
> As Markus said, it is better to create a limited "web" user. If a hacker
> somehow gets the account data, he cannot do more than the web user could
> do via the page. If you really want to limit the database access and if
> your database supports stored procedures, you could define a stored
> procedure for every allowed action on the database and grant only execute
> rights to the web user.
>
> Best regards
Navigation:
[Reply to this message]
|