Allowing user to create table in db

Question

Lets imagine following situation:

Admin has access to admin control panel of some webshop. He has the rights to create categories, products and so on... He has also right to create product types.

It means that admin opens some page with product type creation formular, he will write a type name and few type attributes:

Form input field - User input

• Type name : Computers
• Attribute_1: Storage
• Attribute_2: Graphic card
• Attribute_3: Processor
• Attribute_4: Operation system
• Attribute_5: null
• Attribute_6: null
• [Submit]

After submitting the whole new table computers in db will be created. Table will have four columns (storage, graphic_card, processor, operation_system).

My question is: Is it allright to allow shop administrator to create table in database in such way? Or it is bad practice?

Of course, there will exists classic mechanisms to prevent SQL injection...

Thanks a lot for your answers! And sorry for my bad english :)

Answer 1

Adding so powerful rights to a web-application user as create table is generally a bad practice. I would implement the table creation in a stored procedure, then give only execution access on the procedure to the user, and wouldn't give more powerful and dangerous DDL (Data Definition Language) rights.

Creating the table using a stored procedure you can restrict table creation with business rules. For example you can give a pattern to the table name, you can restrict the number of columns or you can maximize the number of tables can be created, you can also log the table creation event.