I'm working at providing more secure applications. Not that I think mine are particularly insecure (heres hoping not to now getting hacked). So i'm wondering, for a site in which people can only read what I write on it, is there any real need to have any other privileges other than 'Select' (in order to allow the pages to recall the said info from the DB)?
If you don't need to do anything other than a SELECT query, then only allowing SELECT should be fine. Saying that, if your sire is secure people should not be able to inject a different query type anyway, also one of the most useful attacks is getting all of the data from the database, which is still possible. So you may as well just use the standard permissions of SELECT INSERT UPDATE and DELETE.
hmmm, thanks for that, I always feel hazy around this topic. But after I posted it, I was thinking about the pros and cons of it all. In this instance SELECT would be fine, I haven't got any plans to expand on user generated content at the moment. Which I suppose is something in terms of someone damaging what's already there. But yes as you say, getting all of the data isn't much better. But I feel clearer in my mind now so thanks
