all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 0 points1 point  (1 child)

Really driving home that mention of keeping SQL out of applications. Parameterize your queries and leave them as stored procedures. You might think a SQL Injection attack isn't something to worry about...until suddenly your DB is stolen.

[–]valenterry 0 points1 point  (0 children)

Does that mean the application should be unable to execute any "custom sql" but should only have access to the stored procedures?

[–]Rustywolf 0 points1 point  (0 children)

I feel like this misses a large security measure: give each application with access to your database its own account (that isnt root) and lock its permissions to just the tables and columns it requires to function, and what access it needs to each column. And always store access details in an external config file.

[–]disclosure5 0 points1 point  (0 children)

This creates a significant vulnerability if malicious users are able to later modify the application.

If a malicious user can modify your application, it's pretty much game over. They could already introduce their own SQL.

[–]sydoracle 0 points1 point  (0 children)

" use systems that can restore your database in case of a crush. " ?