> something or are the database queries not doing the moral equivilent of > running everything as root and hoping the, usually sadly lacking, input > validation saves the system? Nope, you're not missing a thing. Most databases have poor access controls - the only ones you're going to see Real Security(tm) on will be military/government systems and financial institutions and other systems in need of serious access control and auditing. Keep in mind that for database standards and stuff, DoS attacks and web-integration is still kind of a new thing - the protocols were never designed to do what they're doing these days.. security wasn't a consideration 5 years ago because making your internal data available to the world was considered ludicrious - and most companies think username/password combos with read/write/update (etc) rights was a "good enough" solution... :( And for some environments, you can trust a simple configuration like that. If you unplug your system, lock it in a safe in which only you have the key, and the root password is root1root it's still a damn secure setup.. NT's "c2 rating" comes to mind. :) I don't know. Anyone care to comment on the security features of other databases?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:31 PDT