Page 1 of 1
is this overkill?
Posted: Sun Aug 26, 2007 4:35 pm
by Z3RO21
With MySQL would it be overkill to have an account that can only select data from the database to be used when ever information is to be extracted from the database for eventual use? Of course there will be another account that will have more privileges so that it can update, create, and delete.
* Reason this is in php security is it is for use within a php driven system.
Posted: Sun Aug 26, 2007 4:47 pm
by VladSun
It will add another level of security - at DB layer. I would always do this, when I am permitted and able to create more than one user with different privileges on a database. Pity for me these cases are rare because of the llimites in hosting providers plans.
It would make some of the SQL injections attacks useless but you still should take care of security at code level.
Posted: Sun Aug 26, 2007 9:27 pm
by Z3RO21
I have already implemented all the anti xss and sql injection techniques I just didn't know if this was a worth while idea because personally I think it is nice because it does limit the amount of possible attacks. But thanks for the input

Posted: Sun Aug 26, 2007 10:11 pm
by ReDucTor
If your using mysql mysql_query() does not allow multiple queries, so this will be useless, the only query which you might be able to change a select to which would change things would be "SELECT .. FROM .. INTO .. WHERE ...", but the only place where your going to have user input is in the WHERE section.
However If your using Mysqli or PDO, I am unaware if they support multiple queries.
My method for preventing SQL, XSS, etc is:
1. Always use raw input (ignore magic_quotes, etc) -- This means you are in charge of escaping anything
2. Always addslashes() on mysql query strings, or intval() for integers (no where else, as they dont need it)
3. Always use htmlspecialchars() or htmlentities() on output (not on storage, as its not needing to be escaped yet)
4. Always use urlencode() on items passed through a url
5. Any places where needed validate for CSRF (Cross site request forging) - BIGGEST PAIN IN THE ARSE!
5. Always do input validation. -- MOST IMPORTANT
I personally have an input() function which works with the filter functions in PHP, which gets the POST and GET variables and also handles CLI input, which handles validation of email, url, etc. This ensures I only get the values I want, then everything is passed raw to any objects, functions, etc. It is the places which output or store which should be incharge of escaping unsafe characters, not over the whole php script (like magic_quotes which I hate so much)
Posted: Sun Sep 16, 2007 4:05 pm
by Attilitus
Although the best security is a good database abstraction class, it never hurts to create some more access-limits. It makes great sense to only allow select-db access for non-registered guests who won't be able to edit the database anyways. If it doesn't cause unnecessary problems for you, it seems like a decent security measure. Don't feel overly secure and feel like you don't need to keep your code clean and well-written because of it, though. Evil-doers will have no problem registering a regular account on your site if they are truely determined.
Posted: Sun Sep 16, 2007 4:35 pm
by superdezign
ReDucTor wrote:If your using mysql mysql_query() does not allow multiple queries
You know... I never even thought of that. I always thought it was a bad thing that mysql_query had that limitation.
ReDucTor wrote:2. Always addslashes() on mysql query strings, or intval() for integers (no where else, as they dont need it)
*cough*mysql_escape_string()*cough*
ReDucTor wrote:4. Always use urlencode() on items passed through a url
... Why? That wouldn't help MySQL.
Posted: Sun Sep 16, 2007 5:40 pm
by jeffery
superdezign wrote:*cough*mysql_escape_string()*cough*
mysql_escape_string is deprecated. Its time to start using mysql_real_escape_string()
Posted: Sun Sep 16, 2007 7:01 pm
by superdezign
jeffery wrote:superdezign wrote:*cough*mysql_escape_string()*cough*
mysql_escape_string is deprecated. Its time to start using mysql_real_escape_string()
That is soooo what I meant to say!

;_;
Posted: Sun Sep 16, 2007 11:02 pm
by mrkite
I always have separate read and update accounts.