I’m currently making a website using PHP and MYSQLi. And I’ve been read a lot about SQL injection. As answered on other questions from StackExchange, 2 ways of prevent it is by using prepared statement and escaping string. Since I’m not able to do prepared statement (I’ve tried to make it based on tutorials and videos but can’t make it work) so I chose another way(escaping string). My question is, if I change permission for user at my SQL login page, to only able to do ‘SELECT’ query. Will it able to give me extra security measure to prevent user from DROP, ALTER, etc on my database. Because my website :-
- Not require any user to register.
- The only text field link to my query is for full text search function (which only use SELECT for the query and I have mysqli escape string on this text field).
Advertisement
Answer
It’s always a good idea to give your application’s database login only the permissions it needs. If it doesn’t need to do inserts or updates, don’t give it insert or update permission.
However, attackers may still be able to exploit SQL injection vulnerabilities to read unauthorized data using select statements, so you still need to protect your queries against that.