From kraftb at think-open.at  Fri Aug 31 11:12:21 2018
From: kraftb at think-open.at (Bernhard Kraft)
Date: Fri, 31 Aug 2018 11:12:21 +0200
Subject: [TYPO3-core]  Database Connection / Connection Pool
Message-ID: <mailman.1.1535706741.24403.typo3-team-core@lists.typo3.org>

Hi,

Years ago I created an extension "ext_security". The intention was to 
implement various security features but only for people wanting to rely 
on them.

https://extensions.typo3.org/extension/ext_security/

The only feature I ever implemented there was FE database security. The 
database user for FE was a different than for BE operations. This raised 
security as the DB admin can spell out more fine grained access rights 
for the FE. Which makes the system resistent against SQL injections.

You could for example create a special database user (mysql) for FE 
context which is only allowed SELECT to all tables except cache, etc.


Would this make sense for the core? There is no way to alter the 
behaviour of ConnectionPool.php except by an alternate implementation 
(xclass).


greetings,
Bernhard