I've only skimmed this, but it looks like a great post, covering an area of database security almost everyone overlooks. There is no reason your app needs to run with carte blanche access to every table in the database, especially when your app is primarily driven by reads.<p>I've been on pentest engagements where clients have survived rather horrible SQL injection vulnerabilities because the database handle the injection happened on had no meaningful privileges.