On Apr 22, 5:51 pm, Kees Nuyt <k.n...@nospam.demon.nl> wrote:
> On Tue, 22 Apr 2008 12:29:28 -0700 (PDT),
>
> lawp...@gmail.com wrote:
> >Well, if we have a database that's available to the public through a
> >website, and some entreprising hacker wants to do an SQL injection,
> >they would get quite a leg up if they could look up the exact names of
> >our fields and tables.
>
> They could try to query the INFORMATION_SCHEMA first,
> or use SHOW CREATE ... and explore from there.

If the MySQL user account they're connecting with does not have
permissions for that, then those queries will get them nowhere.