Glossary

DDL

Data Definition Language (DDL) is the subset of the SQL language that allows table structures to be edited.

The most common DDL commands are:

CREATE <table> Creates a new table.
ALTER <table> Changes a table structure, say, to add or remove columns, or indexes.
DROP <table> Destroys a table.

For most applications, table structures are only changed with the release of new versions of the software. Therefore, the principle of least privilege dictates that the application should be run under a database account that does not have DDL privileges. This defense in depth mitigates the damage an attacker can do if they discover a SQL injection vulnerability in your site. DML privileges should only be granted temporarily as part of a release process.