[soult]

> The only smart way to give clients access to a database is through some sort of frontend entirely under your control which prevents them from having the user/pass and sanitizes the queries.

MySQL maybe, but enterprise DBs (think Oracle, DB2, Postgres) support a very fine-grained access model.

[toyg]

I'd argue that even then, they are less hardened against network-layer exploits than your average webserver. Network security is bread & butter for a webserver, not for your enterprise DB running in safe intranets with only cursory penetration testing.

[soult]

I agree, though if you hardcode username and password into your application there's no need for fancy exploits.