Jump to content

  • Log In with Google      Sign In   
  • Create Account

We're offering banner ads on our site from just $5!

1. Details HERE. 2. GDNet+ Subscriptions HERE. 3. Ad upload HERE.


#ActualNypyren

Posted 21 February 2013 - 04:44 PM

I think it's really a bad idea. Even if you give them access to no tables - only stored procedures - they can STILL break the server. There are numerous well-documented ways of either crashing the server or making it consume all its resources.
 
The INFORMATION_SCHEMA tables are visible to everyone regardless of permissions, and they can still do SELECTs on them. So if they join one of the (more than one row) I_S tables with itself a dozen times, then the server will attempt to create a result set bigger than your disc (in temp storage normally).

I think ApochPiQ meant that he only allows the client to talk to the server service (not the SQL database itself) AND the server's service only runs stored procedures with sanitized parameters instead of raw SQL queries.

#1Nypyren

Posted 21 February 2013 - 04:44 PM

I think it's really a bad idea. Even if you give them access to no tables - only stored procedures - they can STILL break the server. There are numerous well-documented ways of either crashing the server or making it consume all its resources.
 
The INFORMATION_SCHEMA tables are visible to everyone regardless of permissions, and they can still do SELECTs on them. So if they join one of the (more than one row) I_S tables with itself a dozen times, then the server will attempt to create a result set bigger than your disc (in temp storage normally).

I think ApochPiQ meant that he only allows the client to talk to the server service (not the SQL database itself) AND the server's service only uses stored procedures with sanitized parameters instead of raw SQL queries.

PARTNERS