> something or are the database queries not doing the moral equivilent of
> running everything as root and hoping the, usually sadly lacking, input
> validation saves the system?
Nope, you're not missing a thing. Most databases have poor access
controls - the only ones you're going to see Real Security(tm) on will
be military/government systems and financial institutions and other
systems in need of serious access control and auditing.
Keep in mind that for database standards and stuff, DoS attacks and
web-integration is still kind of a new thing - the protocols were never
designed to do what they're doing these days.. security wasn't a
consideration 5 years ago because making your internal data available
to the world was considered ludicrious - and most companies think
username/password combos with read/write/update (etc) rights was
a "good enough" solution... :( And for some environments, you can
trust a simple configuration like that. If you unplug your system,
lock it in a safe in which only you have the key, and the root password
is root1root it's still a damn secure setup.. NT's "c2 rating" comes
to mind. :)
I don't know. Anyone care to comment on the security features of
other databases?
