Recommendations of Protection (MySQL and SQL the Web-interface)

Using mysql (or any another sql the server) on a computer connected with internet should read any this consultation to avoid most often meeting problems of protection.

However it is necessary to emphasize importance of full protection of the server (not simply mysql the server) from all types of used attacks. In given clause{article}, unfortunately, it is not possible to capture all aspects of problems of safety, but the most important problems are considered full enough.

mysql uses the protection based on Lists of Management of Access (acl) for all connections, searches, and other operations which the user can try to execute. There is also some support for the ssl-ciphered connections between clients mysql and servers. Many of the concepts discussed in this clause{article}, are not specific for mysql and can be applied to all applications.

When mysql it is started, try to follow these recommendations:

Give nobody access (except for the manager mysql) to the table user in a database mysql. The ciphered password - the real password in mysql. If you know the password listed in the table user for the given user, you can enter easily as this user if you have access to a computer listed for this account.

Study system of the privilege of access mysql. Grant commands and revoke are used for management of access to mysql. do not give the big privileges, than it is necessary. Never give privileges to all computers in a network. Commands of control checks:

1. Try mysql-u root. If you can incorporate to the server without search of the password, means at you a problem. Any can incorporate to yours mysql the server as mysql root the user with full privileges. Carefully read commands of installation mysql, paying attention on options of installation of the password.

2. Use show grants commands and check to see, who has access to what. Remove superfluous privileges, using revoke command.

Do not store{Keep} passwords as a clear text in your database. When your computer is cracked, intruded can receive the full list

Passwords and to use them. Instead of it use md5 algorithm or any another on the basis of unilateral khesh-function.

Do not choose passwords from dictionaries. There are special programs to select them. Even passwords it is similar "xfish98" are very bad. Much better - " "duag98" which contains the same word "fish" but printed on one key to the left on the keyboard. Other method will be to use passwords such as "UMBBR" which will consist of the first words in the offer " At Mary the big child " was. Such passwords simply to remember and print, but it is difficult to pick up to the malefactor.

Use firewall. He will protect you, at least, from 50 % maintained ujazvimostej in any software. mysql uses 3306 port by default. This port should be accessible only from the trusted computers. The most simple way to check up, whether is your port mysql open, will be to try the following command from some remote machine, where server_host - the host name of yours mysql the server: telnet server_host 3306

Do not trust any data, the entered users. They can deceive your code, entering special symbols in web to the form or url. Be convinced, that your application remains safe if the user enters something is similar: drop database mysql;. It - the critical example, but set of outflow of protection and loss of the data can occur because of the hackers using similar methods. Also, do not forget to check the numerical data. The usual mistake should protect only lines. Sometimes people think, that if the database contains only publicly accessible data, she should not be protected. It is wrong. At least, dos attack can be executed against such databases. The most simple way of protection against such type of an attack will be to use apostrophes around of numerical constants:

select * from table where id = '234.' mysql automatically transforms this line to number and cleans{removes} all non-numerical symbols in search. We check:

All web applications:

1. Attempt to enter '' '"' in yours web forms. If you receive any kind of a mistake mysql, at once investigate this problem.

2. Attempt to change url, adding %22 (' “ '), %23 (' * '), %27 ' '.

3. Attempt to change types of the data in dynamic url from numerical symbols to the symbols, resulted in the previous examples. Your application should be safe against it and similar attacks.

4. Attempt to enter symbols, blanks, and special symbols instead of numbers in numerical fields. Your application should remove them before their acceptance mysql, or your application should give out a mistake.

5. Check up the sizes of the data before their acceptance mysql.

6. Your application should incorporate to a database, using the user who is distinct from whom you use for the administrative purposes. Do not give your application more the rights, than what they really require.

Users php:

Check up function addslashes (). After php 4.0.3, function mysql_escape_string () which is based on function with the same name in mysql c api is accessible.

Users mysql c api:

Check up api search mysql_escape_string ().

Users mysql ++:

Check up transitions and inverted commas of modifiers in streams of searches.

Users perl dbi:

Check up a method quote () or use structural zero (placeholders).

Users java jdbc:

Use object preparedstatement and placeholders.

Do not pass not ciphered data on internet. These data are accessible to everyone who has time and ability to intercept them and to use for own purposes. Instead of it, use the ciphered report such as ssl or ssh. mysql supports internal ssl versions 3.23.9. ssh it can be used for creation of the ciphered tunnels.

Learn to use tcpdump. In most cases, you can check up, whether is valid dataflows mysql are not ciphered, using the following command:

shell> tcpdump-l-i eth0-w - src or dst port 3306 | strings