Suppose I actually do the next:

  • I produce a MySQL database, and populate it with a few data.
  • I produce a MySQL user that has access simply to that database, and who has only Choose rights.
  • I produce a web site by which a person (any user, no password needed) can enter arbitrary SQL, as well as on posting the shape, a script tries to run the SQL because the MySQL user I produced any result set produced is displayed towards the user any error message produced is displayed towards the user.
  • Think that the database consists of no saved methods etc, just tables and sights, which I'm happy for anyone to determine the items in that database.

We think that the setup is going to be probed with a malicious user. What's the worst that may happen?

Some ideas:

  • MySQL provides various claims like SHOW etc. that the user even getting only Choose rights can use to collect details about the database server or about my databases. Additional information might be acquired from error messages. While most likely not sufficient to achieve improper access, these details could surely help by doing this.
  • There can be defects within the database software, or perhaps in my scripts, or perhaps in the scripting language itself, that may allow a customer to complete things they aren't designed to have the ability to do through this interface.
  • Carrying this out might violate a tos agreement, particularly should i be using hosting that is shared.

Err. Clever customers may attack via syntax like:

select some_function_that_updates() from some_table;

And there is a denial of service attack that may blow memory, like:

select * from some_massive_table cross join some_other_massive_table;

And frankly, it's difficult enough for experienced developers to create queries that behave well... what chance does an undesirable user have even when they try to create a great query

With this to operate, you have to write a "spend" application that really does the queries. You are not likely to turn people loose on SQL server directly. It's rude.

MySQL provides various claims like SHOW etc. that the user even getting only Choose rights can use to collect details about the database server or about my databases.

Don't execute them inside your spend.

Additional information might be acquired from error messages. While most likely not sufficient to achieve improper access, these details could surely help by doing this.

Don't display them out of your spend.

There can be defects within the database software, or perhaps in my scripts, or perhaps in the scripting language itself, that may allow a customer to complete things they aren't designed to have the ability to do through this interface.

Don't so something with "elevated" rights. Don't execute anything apart from Choose inside your spend.

Carrying this out might violate a tos agreement, particularly should i be using hosting that is shared.

Really unlikely. And. Don't request us this type of question. We do not know. Read your contract.


The one thing you didn't remember.

A badly designed SELECT * FROM table, table, table, table can perform an outer join of vast amounts of rows, effectively being a denial and services information attack.

Therefore, you have to enable all the "resource quota" features within the OS, as well as in SQL Server. Every quota should be set no more than possible and then any resource quota problem results in an instantaneous "an excessive amount of data" type of error page. No exceptions. No workarounds.

What's the worst that may happen?

Nobody knowns. Not really those who built the database engine could with absolute certainty say an amount be possible.

What's certain however, is you are getting rid of a layer of protection. You no more possess a layer outdoors the database that may filter the input. You're depending positioned on the database's capability to safeguard itself, and it is not designed to become a public interface.