Does different users have good practice for different types of queries?

Question

Does different users have good practice for different types of queries?

I use MySQL and PHP for the project I'm working on. I created individual users to perform various functions (one to run select queries, one to run update requests, etc.) to provide an additional level of security. Thus, I believe that if someone succeeds in carrying out an injection attack (which is unlikely, since I use prepared statements), all that they can do will be limited by the type of request that was originally intended to be launched. Is this good practice or is it not worth the problem?

+3

mysql

Steven oxley Sep 29 '08 at 8:49

source share

2 answers

, , , . , SQL-.

+1

cruizer 29 . '08 8:54

Till · Accepted Answer · 2008-09-29T08:59:46+0000

In addition to advanced logic, you will also have different connections and significant overhead in this area.

IMHO it is advisable not to fulfill all your requests in the webapp with the root user, and if the data is so hot, then make sure that the designated user does not have DROP, DELETE, etc. privileges. You can implement soft-delete if necessary in your application.

Last but not least, make sure you sanitize all the GPCs and make sure that you specify / delete files correctly in your requests. Using prepared statements can be one, but in the end it can be as simple as using mysql_real_escape_string () or any citation methods of your DBAL / ORM clause.

Does different users have good practice for different types of queries?

More articles: