Best approach for DB connections

Question

What is Best approach for DB connections.

One connection with all privileges for all operation (CRUD)

Or

2 connections, one for DELETE and one for others (CRU)

Or

Different connection for each operation.

Which is best for performance and security.

Answer 1

I personally would stick with one connection.

There's no security difference between having 1 connection with all of the privileges and having 2 connections. If an attacker is in a position access the CRU credential, then they can just as easily access the other credential anyway.

To a large extent there's value in keeping it simple. The less you have to think about managing connections, then the more headspace you've got for other things like secure coding, best practice, managing vulnerabilities etc.

If you're particularly concerned about mass deletes, you could use a stored routine (start here: http://dev.mysql.com/doc/refman/5.1/en/stored-routines.html ) that would delete a single row. Your PHP connection could then have CRU privileges (but not delete), plus permission to run this stored precedure. That would mean that an attacker would have to call this procedure multiple times to delete multiple records, and (if done properly) would be unable to effect a mass delete with a single SQL statement.

Answer 2

Common practice is to have single connection (user) to database with granted permissions for SELECT, INSERT, UPDATE, and DELETE.

If you want to have separate users with different permissions then create one user with only SELECT and another with all CRUD. Then in script select one of these connections use it for executing all queries.

Opening multiple connections from one client is not good idea because you will effectively half the number of clients being able to connect.

This applies only if you have only one database server, if you use read replicas then having multiple connections to different databases (on different servers) is not a problem.