Posted by fletch on 04/13/06 09:51

DOS is simple enough

select * from table1,table2,...tableN

Will cause a cross product to be calculated.If each of three tables has
10 rows, the query above will return 10^3=1000 rows.

Postgresql also does TRUNCATE - not sure about mysql.

MySQL has good permissions, you could connect to the db as a different
user and with only a limited set of permissions.

What about functions?

select LOAD_FILE('/etc/passwd');'

• Next in forum: Re: if I allow anyone on the web to run SQL queries against my database, what are the obvious attacks hackers will try?
• Prev in forum: Re: Passing variables
• Thread view: Re: if I allow anyone on the web to run SQL queries against my database, what are the obvious attacks hackers will try?

[Reply to this message]