Home/ Questions/Q 8092357
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T20:16:02+00:00

Suppose you’re writing a simple database web application using Ruby and MySQL. Access to

  • 0

Suppose you’re writing a simple database web application using Ruby and MySQL. Access to the database is controlled by Ruby code. The user name that the Ruby code uses to access the data is the only regular user on the database. Does it make sense for that user to be “root”? Or is there any extra security in creating a second user just for the application?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Simple, consider the root as the main user, who can do everything (by default).

    If he wants to dump the whole database, he can, if he wants to create some data to create (for example) fake account to overpass your bank system, he can.
    So if your code is not enough secure (and this is quite often usually), you have strong security issue.

    Usually, “a basic” security (really basic), should looks like that :
    create a simple user, give him (with GRANTS) the right to SELECT, INSERT, UPDATE and DELETE on a specific database.

    create another user who can SELECT and lock tables and SHOW VIEWS to perform dump (database save).

    On a more “complex” system, you should create many users, depending of what they should access, this is for simple reason : if somebody got a SQL injection access, if the user can only access to a single view (for example), and not the whole database, this is a security issue but not the baddest one…
    Also view are often used for that…

    And finally don’t forget triggers if you want (for example a log table), to disable insert or update or delete on a table, for everybody (except somebody who can destroy trigger of course) :
    Use a trigger to stop an insert or update

    • 0