sql injection

Hello,

The databaseuser of the database in phpmyadmin has full rights in phpmyadmin (alter, create routine, drop, index, lock tables, select, update, delete, execute, ...)

2 question:

1. Is it necessary to give the databaseuser all this rights to install modx, ...
2. is modx evolution protected against sql-injection?

thanks

1. The permissions the database user has completely depends on what permissions he was given in MySQL. That has nothing at all to do with MODx.

2. Yes, with the caution that it is possible to write snippets and plugins with PHP code that itself is not secure. For that reason, Evo has the option of preventing Manager users from using the @EVAL feature of TVs.

1. and is it necessary to give all the permissions in MySQL to run MODX
2. thanks. If i use snippets and plugins from modx-site, then there wil be no problem?

1. Not all, but it depends on what some of your snippets or plugins are doing. Minimum should probably be:

SELECT, INSERT, UPDATE, DELETE for data, CREATE, ALTER, INDEX, DROP for tables, and possibly CREATE TEMPORARY TABLES.

2. We certainly expect so! You should subscribe to the notices newsletter just in case, though. http://forums.modx.com/thread/251/security-notice-subscription-options#dis-post-1649