Security question

[richardhowell]

My database is designed so that registered users can insert details about themselves, then update and delete their records. If I allow delete permission on a particular table does this pose a security threat for that table. ie. would it be easy for someone to delete all rows in the table? (Similarly for update)

 

[sleipnir214]

If someone has permission to delete a single row of a MySQL table, then he has permission to delete all the rows in a table. The same goes for updating.

I recommend that you place some kind of programmed application between the users and the table. That application can then be programmed with limits that enhances data security.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[richardhowell]

Yes - I have an application (in ultradev) which goes something like this:
Login/password --> success -->
Member menu:
Insert
Update (my details only)
Delete (my details only)

So from that point of view I have programmed in security. What I'm talking about is a seasoned hacker thinking - Hmmm, he's allowed users delete privilege on this table. Think I'll try doing a DELETE from table_x; (I don't know how - but then I'm not a hacker!)

 

[sleipnir214]

What userid and password are you using to manipulate the table? The user's?

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[richardhowell]

Yes. They key in their email address which doubles up as user ID, and they choose their own password.

 

[sleipnir214]

If at all possible, I'd give the application a userid and password and use those credentials for any interaction between the application and MySQL. Then make that userid as hard as possible to get hold of.

But if your application does not permit ad hoc queries, you should be okay.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!