My way around sql injection

StackOverflow https://stackoverflow.com/questions/22461481

Question

I'm not an expert but I do have a web front processing orders that have data needing to be input for further logins. Instead of using that database, I created another one with an extra column called status. Initially when orders are processed, they are set to 0. The cron job runs every 3 minutes polling this database for all users with status 0. When run, the cron sets the status of all currently processed users to status 1 (so if there are any that do get input during runtime of the script, it will be processed next time which is only 3 minutes).

After the status of all new users is set to 1, just the password and email fields are dumped to a file and then loaded via "LOAD DATA INFILE" back into the real database that users need to log in with their client. there is no web log in form. It is for emails, just using the IMAP client. However, I do use the root account for the cron since I realized I needed to grant all privs to a user for the dumping of data and if that is going to be it, I might as well just use root to update the status column first, then dump the new data to a file, then load it into the new db and go back and delete all users with status 1. It is a simple 4 line script running mysql from the command line.

Is this a safe bet or am I risking something running a root cron every 3 min? I don't see how I can possibly have an issue since I never use root to process the web stuff. I use a separate mysql user with only INSERT privs for the web front to process new orders. Any comments? I feel like this way I can avoid sql injection even though my mysql user still has limited privs, there always might be something I don't know about.

Was it helpful?

Solution

Is this a safe bet or am I risking something

As long as it's simple LOAD DATA INFILE query - no. However,

Instead of using that database, I created another one with an extra column called status.

  1. Such a flying circus is absolutely unnecessary.
  2. It doesn't protect you from injection anyway.

Instead, you have to use prepared statements for ALL the queries in your application.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top