According to this question, SQL injection is something one would have to prevent. In an application where the user is only selecting from the database, how would this be a concern?
Asked
Active
Viewed 79 times
0
-
Yes, yes is is. – John Conde Apr 16 '17 at 00:05
-
Yes. It is a concern. – DJAM Silvère Gatien Apr 16 '17 at 00:06
-
@JohnConde How? The MySQL user that I am using only has SELECT access and the code itself is only running a SELECT function. – p26528 Apr 16 '17 at 00:11
-
1If you can SELECT you can still get sensitive data from the database. – Louis Loudog Trottier Apr 16 '17 at 00:12
-
@LouisLoudogTrottier I am only concerned about them editing the database; there is no sensitive information on it that I am aware of. – p26528 Apr 16 '17 at 00:13
2 Answers
2
Here are some examples of problems that SQL injection could allow even if the user is restricted to SELECT privilege:
The attacker could read data intended to be read only by other users. Many applications use the same MySQL user to connect, and then enforce further data-access restrictions with application code. I.e. I'm only supposed to see the shopping cart that I created. But with SQL injection, I could read everyone's shopping cart, their purchase history, their credit card number, and so on.
The attacker could read the hashed passwords of other accounts, crack them (on his own computer), and then log in to another user with greater privileges.
The attacker could run a denial-of-service attack by running a SELECT query that uses too many resources. For example, on MySQL, the table
INFORMATION_SCHEMA.CHARACTER_SETSis readable even for a user with no privileges. Now what is going to happen when the attacker runs this query:SELECT * FROM (SELECT * FROM CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS, CHARACTER_SETS) AS t ORDER BY 1It tries to create a temp table on disk for 2,839,760,855,281 rows. I predict that will exhaust disk space on your server.
Your question sounds like you're fishing for a rationale for skipping writing safe code that protects against SQL injection.
Sorry, no dice. You need to write safe code.
Bill Karwin
- 538,548
- 86
- 673
- 828
0
Any thing the user does that will lead to CRUD operation on the Data Source should be treated as dangerous and all precaution taken to prevent SQL injection.
rogerwamba
- 72
- 2
-
Why? The MySQL user that I am using only has SELECT access and the code itself is only running a SELECT function. – p26528 Apr 16 '17 at 00:12
-
Because, how about the SQL injection tricking your so-called user to select all data and send it to the caller? – rogerwamba Apr 16 '17 at 01:48