securing the database agains sql-injection attacks
 

Hi,

I want to increase the security of my vBulletin installation. I have
take several measures as suggested but I want to add something against
sql injection using yet-unknown exploits in the code of vBulletin or
a plugin.

I plan to disable write access on MySQL-level to all database tables which
contain executable code. When I need to modify these (which is seldom), I
login as root, temporarily allow the vbulletin user to write, do my changes
and switch back to read-only access.

My problem now is to identify all the database tables which contain executable
php code - I could not find any database reference documentation or similar.

Browsing through the tables I have found these:

plugin
product
productcode
setting
template

Does vBulletin need to write to any of these tables during regular production
operation (not reconfiguration with the admin cp)?

Is there any table missing which could contain php code that is being executed?
Do some values within "datastore" contain executable code?

What about the upgradelog? Could it be used to execute the file listed in "script"
or is it just a log of stuff from the past?

What about the "cron" table? Can I make everything except "nextrun" read-only?

Are there any other tables which contain static stuff that is only written to when
reconfiguring vBulletin through the admin control panel? E.g. stuff that contains
html or javascript which is included on every page?

Another table which I plan to make read-only is "administrator". Ok?

Kind regards,

Gerd