I'm looking at using built in database migrations frameworks (such as the migration framework included in EF Code First or migratordotnet) but I have concerns about the implications of allowing a production website to have permissions to execute DDL statements.
In the past when working with web apps I would migrate database objects manually which would allow me to restrict the permissions the web application's database user was given. This mean even in the case of a SQL Injection attack, a stolen web.config or some other attack on the web site it would be more difficult for an attacker to do serious damage (though obviously not impossible).
It seems to me by performing migrations via the application (as seems to be almost required when using a PaaS like AppHarbor) you your application up to more threats. So, the heart of my question is:
- Are my concerns unwarranted?
- Are there any steps I can take to mitigate those threats while still taking advantage of automated deployments?
