How dangerous is giving the public the ability to run SELECT queries in a database?

Question

Suppose I do the following:

I create a MySQL database and populate it with some data.
I am creating a MySQL user who has access only to this database and who only has SELECT privileges.
I create a web page through which a user (any user without a password) can enter arbitrary SQL, and when submitting a form, the script tries to run SQL as the MySQL user I created; any generated result set is displayed to the user; any error message is displayed to the user.
Suppose that the database does not have stored procedures, etc., as well as tables and views, and that I am happy if anyone sees any of the contents of this particular database.

We assume that the installation will be verified by an attacker. What could be the worst?

Some thoughts:

MySQL provides various instructions, such as SHOW, etc., that a user with only SELECT privileges can use to collect information about the database server or about my databases. Other information may be obtained from error messages. Although probably not enough to gain improper access, this information can certainly help in this.
, , .
, .

+5

Hammerite 07 . '11 11:56

3

, "shell", . SQL-. .

MySQL , SHOW .., , SELECT, .

.

. , , , , , .

.

, , .

"" . , SELECT .

, .

. . . . .

, .

SELECT * FROM table, table, table, table , .

, " " SQL Server. , " ". . .

+5

S.Lott 07 . '11 12:03

?

. , , , .

, , . , . .

+3

Guffa 07 . '11 12:17

Bohemian · Accepted Answer · 2011-06-07T12:02:48+0000

. , :

select some_function_that_updates() from some_table;

, , :

select * from some_massive_table cross join some_other_massive_table;

, , , ... ,