Okay, I just backed up my database, just in case.
The whole schema for the database is here: http://www.accumulist.com/index.php?whatPage=db.php
You can run any SELECT query against this database that you want, and
send it as a GET request. This would be an example: http://www.accumulist.com/output.php...rom%20tagCloud
The function that returns this checks to query to see if it contains
the words ALTER, DROP, EMPTY, GRANT, UPDATE, INSERT, and a bunch of
others. It calls die() if it sees any of those words.
For obvious reasons, I'm trepidatious about exposing the database to
this degree. What are some of the obvious, and not so obvious, attacks
that I shoudl expect and defend against? 7  2097 
DOS is simple enough
select * from table1,table2,...tableN
Will cause a cross product to be calculated.If each of three tables has
10 rows, the query above will return 10^3=1000 rows.
Postgresql also does TRUNCATE - not sure about mysql.
MySQL has good permissions, you could connect to the db as a different
user and with only a limited set of permissions.
What about functions?
select LOAD_FILE('/etc/passwd');'
Message-ID: <11**********************@t31g2000cwb.googlegroups .com> from
lawrence k contained the following: The function that returns this checks to query to see if it contains
the words ALTER, DROP, EMPTY, GRANT, UPDATE, INSERT, and a bunch of
others. It calls die() if it sees any of those words.
The general advice seems to be to ban everything that is not allowed
rather than to allow anything which is not banned.
I think I'd construct the query in code from the input variables, after
having sanitised the input using mysql_real_escape_string()
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
"lawrence k" <lk******@geocities.com> wrote in
news:11**********************@t31g2000cwb.googlegr oups.com: The function that returns this checks to query to see if it contains
the words ALTER, DROP, EMPTY, GRANT, UPDATE, INSERT, and a bunch of
others. It calls die() if it sees any of those words.
For obvious reasons, I'm trepidatious about exposing the database to
this degree. What are some of the obvious, and not so obvious, attacks
that I shoudl expect and defend against?
a question i have as an outsider is, why are you doing this in the first
place?
as mentioned in another post, how would you possibly guard against a DOS
attack?
fundamentally poor design.
Good Man wrote: "lawrence k" <lk******@geocities.com> wrote in
news:11**********************@t31g2000cwb.googlegr oups.com:
The function that returns this checks to query to see if it contains
the words ALTER, DROP, EMPTY, GRANT, UPDATE, INSERT, and a bunch of
others. It calls die() if it sees any of those words.
For obvious reasons, I'm trepidatious about exposing the database to
this degree. What are some of the obvious, and not so obvious, attacks
that I shoudl expect and defend against?
a question i have as an outsider is, why are you doing this in the first
place?
So that outsiders can get the information in formats that I'd never
dream of. If I write every query myself, it forecloses the thing I want
most, which is people doing stuff with the contents of Accumulist that
I myself would never think of.
I've a long term goal of writing the whole database out every hour as a
giant RDF file, with all the relationships made explicit, and that
might allow the amount of spontaneous invention by outsiders that I'm
hoping for. But till then, I'm looking for an easier way to enable
this.
The simplest thing is for me to allow others to write their own SQL and
then for outsiders to pass in text files describing how they want the
output formatted.
If I can't make this secure, then I'll just write everything out as a
simple, huge XML file and let people use that.
fletch wrote: DOS is simple enough
select * from table1,table2,...tableN
Will cause a cross product to be calculated.If each of three tables has
10 rows, the query above will return 10^3=1000 rows.
Right. That leads me into making rules, which is discouraging. I can
see the complexity of the rules rapidly expanding and me still missing
most of the important possible attacks.
MySQL has good permissions, you could connect to the db as a different
user and with only a limited set of permissions.
I like that idea. Do you have suggestions of what would constitute a
minimal set of permissions that would still enable outsiders to make
queries that I can think of?
What about functions?
select LOAD_FILE('/etc/passwd');'
I've added a lot of the functions to the forbidden list, I'll probably
end up banning 99% of them.
Or maybe I'll just put all the data in an XML file. This seems,
otherwise, too hard. I like that idea. Do you have suggestions of what would constitute a
minimal set of permissions that would still enable outsiders to make
queries that I can think of?
Not really - I don't know enough to be authoritative on this.
>> MySQL has good permissions, you could connect to the db as a different user and with only a limited set of permissions.
I like that idea. Do you have suggestions of what would constitute a
minimal set of permissions that would still enable outsiders to make
queries that I can think of?
For read-only access to tables, a user needs SELECT (probably on
one database only) and possibly CREATE TEMPORARY TABLES (which is
sometimes needed implicitly for ORDER BY). This presumes that
you supply the tables and the data, created by an account that has
more privileges. This doesn't prevent running your database out
of disk space with temporary tables.
If you want to allow the user to alter data, but not the tables,
SELECT, INSERT, UPDATE, and DELETE privilege on one database, along
with CREATE TEMPORARY TABLES is probably sufficient. This does allow
them to wipe out any sample data and run your database out of disk
space.
This does not prevent hammering the db with queries (there are some
rate-limiting features for that) or loading down the server with
joins that create huge numbers of rows in the result. What about functions?
select LOAD_FILE('/etc/passwd');'
This requires FILE privilege to read files on the server.
This is a privilege you shouldn't hand out lightly.
Gordon L. Burditt This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Rada Chirkova |
last post by:
Hi,
at NC State University, my students and I are working on a project called
"self-organizing databases," please see description below. I would like to
use an open-source database system for...
|
by: Dom Boyce |
last post by:
Hi
First up, I am using MS Access 2002.
I have a database which records analyst rating changes for a list of
companies on a daily basis. Unfortunately, the database has been set
up (by my...
|
by: John Wildes |
last post by:
Hello
How do I pass a variable containing data to an SQL Query. Here is my query
>>>
SELECT trn_date AS `Transaction Date`, item AS `Item Number`, type AS
`Policy Type`, pol AS `Policy...
|
by: Dave Edwards |
last post by:
I understand that I can fill a datagrid with multiple queries, but I cannot
figure out how to fill a dataset with the same query but run against
multiple SQL servers, the query , table structure...
|
by: google |
last post by:
I am creating a new database for use within our company, that I'd like
to make reasonably secure (short of a true server based solution). The
back-end of a non-server based database seems to be...
|
by: AA |
last post by:
hello to aal,
how its mossible to someone update may database, for now we have a database
and time to time, someone update a record, changing the information.
what can i do to avoid this?
...
|
by: salad |
last post by:
I'm curious about your opinion on setting relationships.
When I designed my first app in Access I'd go to Tools/Relationships and
set the relationships. Over time I'd go into the window and see...
|
by: Jay |
last post by:
I have a DB2 UDB database on an AIX UNIX machine. I would like to know
the queries running against certain tables. There are some applications
outside of the database that do read and update these...
|
by: jehugaleahsa |
last post by:
Hello:
I am writing a cute little class that will cache queries against a
database. Currently, I am implementing this by storing the command
text, parameter values and generated DataRows.
...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
