0

Im wondering if it's necessary to use different MySQL user permissions, if i use prepared statements and PDO?

Basically i want a user with permission to SELECT and only SELECT, and a user who can use INSERT.

I know prepared statements is a must, but is the permissions too?

DalekSall
  • 385
  • 1
  • 2
  • 12
  • You can implement a PHP logic for this, but I don't see the point, if you are using the MySQL users, not another ones – Royal Bg Sep 19 '13 at 06:40
  • Nope, setting different permissions is a false practice, a palliative. You can make different users if you wish, but don't call it protection measure. – Your Common Sense Sep 19 '13 at 07:58
  • 1
    Well, i want users with specific permissions, but if prepared statements secures the system enough to make the user thing unnecessary, it seems like a waste of energy – DalekSall Sep 19 '13 at 09:26
  • User thing IS unnecessary despite of prepared statements. This thing **doesn't secure your system at all**. SQL injections aren't limited to silly drop table query from the comic. – Your Common Sense Sep 19 '13 at 10:26

1 Answers1

0

For most applications, the difference between read-only SQL injection and read-write SQL injection is minuscule. Your database will typically have all the secrets that an attacker wants to steal, so being able to read those secrets out of the database is enough to be game over.

Having separate readers and writers will double the number of active database connections from your application. This may increase your risk of denial-of-service (DoS) attack. Furthermore, it also makes the application logic more verbose than it needs to be.

If you're worried about the impact of SQL injection, just use prepared statements. And make sure you're really using prepared statements, not "emulated prepared statements". See ircmaxell's answer here for why emulated prepared statements are evil.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206