Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

mysql injections and user privileges

Status
Not open for further replies.
bnooch

bnooch

Programmer
Mar 16, 2006
4
US
Hello,
I'm having a friendly debate with someone I adopted some code from. Well, I noticed that he was using the $_GET variable directly in his mysql queries. So, I told him I thought that was a security vulnerability. He says its not because the user connecting to the database has select only privileges.

So my question is, is giving a user select only privileges safe enough to not have to do any data validation or scrubbing to protect from mysql injections?
 
Sort by date Sort by votes
using the least possible privileges is only one of the methods to prevent sql injection ...
 
Upvote 0 Downvote
In other words, the user's privileges should prevent the execution of unauthorized commands. But, you're relying on MySQL being bug-free.

I'd never propose *not* validating and sanitizing the SQL statements.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

E
  • Locked
  • Question
MySQL calculator tools
Replies
0
Views
225
EdZzy
E
lupidol
  • Locked
  • Question
Cannot create new table in mySQL 3
Replies
6
Views
442
lupidol
lupidol
lupidol
  • Locked
  • Question
mysql cannot add rows with "UNION" 1
Replies
5
Views
399
Chris Miller
Chris Miller
penguinspeaks
  • Locked
  • Question
Stored Procedures and triggers
Replies
9
Views
414
penguinspeaks
penguinspeaks
dylim
  • Locked
  • Question
Why MySQL 5.7 is still getting updates
Replies
3
Views
332
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top