The user I created can only INSERT, SELECT, DELETE, UPDATE using the GRANT option from the mysql cmd line. I'll have to start checking my data per yours and Curt's responses.
Sounds like I should remove the DELETE option from that user and create a second user with DELETE permission. -Kirk "Dan Anderson" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > up until now! Dumb now I realize, thanks for pointing that out. I've > > created a new root pwd, and created a user with access only to the "alumni" > > If you want to be super secure you should create several users. Once > for SELECTing, one for INSERTing, etc. Juggling resource handles gets > tricky though. But basically the idea is this: > > If a user or viewer of your site can figure out what you're using to > select from / whatever in the database, they may try passing a query > into the database. For instance, if you were using a form for email, a > user might type in the following > > Email: > "; DROP TABLE *; > > You'd basically lose your database (and any other databases if you're > using your root account!). So you should check all input from the user > so that all "s are escaped and all 's are escaped, etc. Also, limiting > permissions helps. For instance, if one user is used for SELECTs then a > hacker could not drop a database. Same goes with other things. > > Just some things to think about. There are many many more things you > should be doing, but they're too extensive to list here. > > -Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
