TECH6.0

eL3 · #1 20-10-2009, 05:23 PM

I'm considering creating an account on my VPS which has read-only access to a MySQL database which contains no sensitive data.
I will then release code which allows people to log into my site from their server, and read data which they need. All data within the database is freely available to anyone who wishes to see, but what I'm worried about is whether or not this could allow remote SQL commands to be given.

Are you guys understanding what I'm saying? Or should I say it more clearer..
The password is 100% guessable and 100% different from any password used by myself or the server, the user account will have read-only permissions to a database which has no sensitive data what-so ever. No passwords, not even a username. It goes as far as having a client number, and a few values which I feel other sites within my niche could benefit from. Furthermore, users of my system would benefit from the certralization of data which has been lost over countless failed websites.

But I can't really see any reason my system would produce a security risk, am I over-seeing something?

Shocker · #2 21-10-2009, 05:33 PM

I'm considering creating an account on my VPS which has read-only access to a MySQL database which contains no sensitive data.
I will then release code which allows people to log into my site from their server, and read data which they need.

As Said by eL3

What does the bold part means? Log into your site from their server?

All data within the database is freely available to anyone who wishes to see, but what I'm worried about is whether or not this could allow remote SQL commands to be given.

As Said by eL3

You mean SQL injection? It depends on your code really. I think this is what we call Input Filtering where you clean the data what the user has entered before it touches the database.

But I can't really see any reason my system would produce a security risk, am I over-seeing something?

As Said by eL3

I can't see a flaw either. Things would itself become more clear once your system goes live.

eL3 · #3 21-10-2009, 06:55 PM

It's not a matter of code, none of this is handled by PHP code on my side.
The part that you bolded means; the admin uploads a PHP file to their server that, when accessed, connects to my servers' MySQL database. The account they use to connect has strictly read-only privileges.

The system won't be live for a while now. I need to finish coding my CMS and plugin-modules before I can even begin setting up the various expansions I want.

Prateek_m · #4 23-10-2009, 10:07 AM

So why do have to worry when the account they'll use to connect has strictly read-only privileges? If not code, then for what possible reasons can you see your application to be insecure?

sidharthbanyal · #5 21-03-2011, 03:59 PM

It should not affect if account have read only privilege.

tootatomy · #6 08-04-2011, 11:13 AM

Trust them and don't second guess yourself.

moshun111 · #7 08-04-2011, 12:44 PM

just listen to romantic music it should make your view on love more strong. music is what helps me in any situation.

suba · #8 21-11-2011, 04:01 PM

Thanks to given good information.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

TECH6.0

Insecure?