A little while back I wanted to check if there was another way to prevent SQL-injection than to run the mysql_real_escape_string function and other checks.
What I did was to add a user that only had read and write access to the database. The user was not allowed to delete. I ran only a few tests since I am no master on SQL-injections, but those I ran was successful. The injector was not able to empty the database or run other dangerous SQL-queries.
The drawback is that not all server hosts set up two users – one with restricted access, but I believe they should start doing this. It is a very effective way to stop some SQL-injections.
What it does not stop – of course – is for an intruder to fill the database with bogus-data.
Please do discuss this post and test different SQL-injection-queries.
This is of course a method to be used on frontends, not backends as you would need to also delete data in the administration tool, but still it is better than nothing.
A way to prevent SQL-injection
November 17th, 2009
1 Comment
It is always good practice to limit the access to your database by setting proper user permission on the database. Combining this with for instance PDO and its way of passing parameters to the query and you should be quite secure.