11. mysql input security: mysql
1. Try to use the "bind parameter" function. pdo can be used in php to perform a series of operations. 2. php can use the mysql_real_escape_string () function to filter input;
How to configure the security of the MySQL server? Due to Chroot reasons, the configuration file may also be different. False actual operations may encounter similar situations, but you know how to solve the problem correctly. next article: set a good teacher and a good friend. to disable the remote connection, you must first disable port 3306, which is the default listening port of MySQL. because MySQL only serves local scripts, remote connection is required. Although the built-in security mechanism of MySQL strictly monitors the TCP port, it is still dangerous because the MySQL program itself if there is a problem, unauthorized access completely bypasses the MySQL built-in security mechanism to disable network listening. The method is simple:/chroot/mysql/etc/my. remove the cnf file [mysqld] section # skip-networking front # That is, if the local program on the network is closed, how does the local program connect to the MySQL database? The local program uses mysql. sock is faster than network connection. sock specific circumstances MySQL backup usually uses SSH for execution 2. prohibit MySQL from importing LOCAL files. Prohibit MySQL from using the load data local infile command. MySQL will be used to illegally obtain sensitive information from the LOCAL file read database users. Command/chroot/mysql/etc/my. add the following statement to the [mysqld] section of the cnf file: set-variable = local-infile = 0 the system MySQL management commands mysql, mysqladmin, mysqldump and so on are all used in the system/etc/my. the cnf file will be connected to/tmp/mysql. the sock file is used to connect to the MySQL server. There are two solutions to connect to the MySQL server under chroot: Add -- socket =/chroot/mysql/tmp/mysql to the management command plane. sock example: #/usr/local/mysql/bin/mysql-root-p -- socket =/chroot/mysql/tmp/mysql. sock another/etc/my. add socket =/chroot/mysql/tmp/mysql to the cnf [client] section. the second method of sock display is more convenient than 3. modify My SQLroot user ID and password # chrootuid/chroot/mysql/usr/local/mysql/libexec/mysqld & #/usr/local/mysql/bin/mysql-uroot ..... .. mysql> set password for root @ localhost = PASSWORD ('new _ password '); try to develop the habit of entering passwords in mysql because mysql> use mysql can be seen by another user during Shell input; mysql> update user set user = "wghgreat" where user = "root "; mysql> select Host, User, Password, Select_priv, Grant_priv from user; mysql> delete from user where user = ''; Mysql> delete from user where password = ''; mysql> delete from user where host = '%'; mysql> drop database test; easy to guess: mysql> flush privileges; mysql> quit; 4. delete History commands to record some history files including ~ /. Bash_history ,~ /. Mysql_history and so on will be surprised to find some Plaintext Passwords # cat/dev/null> ~ /. Bash_history # cat/dev/null> ~ /. Mysql_history PHP communicates with MySQL. By default, PHP uses/tmp/mysql. communication between sock and MySQL. sock solution: # ln/chroot/mysql/tmp/mysql. sock/tmp/mysql. sock Note: As hard links can be used to establish a connection between file system partitions, it must be located within the same partition.
How to Set Mysql database security using shell> chown-R mysql. mysql/usr/local/mysql/var
Shell> chmod-R go-rwx/usr/local/mysql/var
Modify shell> ls-l/usr/local/mysql
Total 40
Drwxrwxr-x 2 root 4096 Feb 27 20:07 bin
Drwxrwxr-x 3 root 4096 Feb 27 20:07 include
Drwxrwxr-x 2 root 4096 Feb 27 :07 info
Drwxrwxr-x 3 root 4096 Feb 27 20:07 lib
Drwxrwxr-x 2 root 4096 Feb 27 20:07 libexec
Drwxrwxr-x 3 root 4096 Feb 27 :07 man
Drwxrwxr-x 6 root 4096 Feb 27 :07 mysql-test
Drwxrwxr-x 3 root 4096 Feb 27 :07 share
Drwxrwxr-x 7 root 4096 Feb 27 20:07 SQL-Scripts
Drwx ------ 4 mysql 4096 Feb 27 var
Shell> ls-l/usr/local/mysql/var
Total 8
Drwx ------ 2 mysql 4096 Feb 27 mysql
Drwx ------ 2 mysql 4096 Feb 27 test
Shell> ls-l/usr/local/mysql/var/mysql
Total 104
-Rw ------- 1 mysql 0 Feb 27 20:08 columns_priv.MYD
-Rw ------- 1 mysql 1024 Feb 27 columns_priv.MYI
-Rw ------- 1 mysql 8778 Feb 27 columns_priv.frm
-Rw ------- 1 mysql 302 Feb 27 db. MYD
-Rw ------- 1 mysql 3072 Feb 27 db. MYI
-Rw ------- 1 mysql 8982 Feb 27 db. frm
-Rw ------- 1 mysql 0 Feb 27 20:08 func. MYD
-Rw ------- 1 mysql 1024 Feb 27 func. MYI
-Rw ------- 1 mysql 8641 Feb 27 func. frm
-Rw ------- 1 mysql 0 Feb 27 20:08 host. MYD
-Rw ------- 1 mysql 1024 Feb 27 host. MYI
-Rw ------- 1 mysql 8958 Feb 27 host. frm
-Rw ------- 1 mysql 0 Feb 27 20:08 tables_priv.MYD
-Rw ------- 1 mysql 1024 Feb 27 tables_priv.MYI
-Rw ------- 1 mysql 8877 Feb 27 tables_priv.frm
-Rw ------- 1 mysql 428 Feb 27 user. MYD
-Rw ------- 1 mysql 2048 Feb 27 user. MYI
-Rw ------- 1 mysql 9148 Feb 27 user. frm
Use root users to start remote services direct security avoid service program problems remote attackers can gain full control of the host MySQL made minor changes Starting from 3.23.15 default installation services start with mysql users to enable root user Startup, you must add the-user = root parameter (. /safe_mysqld-user = root &) because MySQL has load data infile and SELECT... into outfilesql statement root user started MySQL Server database user has root User Write Permission MySQL also made some restrictions than load data infile can only read global Read File SELECT... into outfile can overwrite existing files
Local log files can also ignore shell logs and MySQL logs. Some users log on locally or back up the database. Sometimes the Database Password is directly included in the command line parameters:
Shell>/usr/local/mysql/bin/mysqldump-uroot-ptest test> test. SQL
Shell>/usr/local/mysql/bin/mysql-uroot-ptest
Some commands will be written to the user directory by shell to record the history file than bash. the bash_history file files are carefully read. The database password will leak and the user logs into the database to execute SQL commands. The user directory will also be recorded by MySQL. in the mysql_history file, the database user uses SQL statements to modify the Database Password. the mysql_history file causes leakage. When we log on to the shell and back up the file, we need-p to directly add the password and prompt to enter the Database Password.
The other two files should also allow us to record our operations to prevent tens of thousands of attacks.
Shell> rm. bash_history. mysql_history
Shell> ln-s/dev/null. bash_history
Shell> ln-s/dev/null. mysql_history
Two on-site commands link the two files/dev/null. Our operation will be recorded in the two files.
The database system consists of a series of databases. Each database contains a series of database tables. MySQL creates a database directory using the database name data directory. Each database table has a database table name. The file name extensions are MYD, MYI, and frm. database directory
The MySQL authorization table provides flexible access control for database access. Local Users have the permission to read database files. Attackers only need to package the database directory and copy it to their local data directory to access and steal the MySQL database. host security first, data directory And data file security, and permission settings
