23 Considerations for using the MySQL database

With MySQL, security issues cannot be noticed. Here are 23 things to note about MySQL tips:

1. If the client and server-side connections need to cross over and pass through an untrusted network, you will need to use an SSH tunnel to encrypt the communication for that connection.

2. With the SET Password statement to modify the user's password, three steps, first "Mysql-u root" log into the database system, and then "mysql> Update Mysql.user set Password=password (' Newpwd ')", The final implementation of the "flush privileges" is OK.

3. Attacks that need to be guarded against eavesdropping, tampering, playback, denial of service, etc., do not involve usability and fault tolerance. All connections, queries, and other operations are performed using security methods based on ACLs, which are access control lists. There are also some support for SSL connections.

4. Any user other than the root user is not allowed access to the user table in the MySQL master database;

Once the encrypted user password is encrypted and stored in the user table, the other person can use the corresponding database of the username/password as soon as it is compromised;

5. The use of GRANT and REVOKE statements for user access control work;

6. Instead of using plaintext passwords, you use a one-way MD5 () and SHA1 () to set the password;

7. Do not use the word in the dictionary to do the password;

8. Use a firewall to remove 50% of external hazards, so that the database system behind the firewall to work, or placed in the DMZ area;

9. The use of Nmap to scan 3306 ports from the Internet can also be tested using Telnet server_host 3306, which does not allow access to the TCP port No. 3306 of the database server from untrusted networks, so it needs to be set on a firewall or router;

10. In order to prevent malicious incoming illegal arguments, such as where id=234, others enter where id=234 or 1=1 cause all to be displayed, use "or" in a Web form to use a string, add%22 in a dynamic URL to represent double quotes,% 23 for well numbers,% 27 represents single quotes; passing unchecked values to the MySQL database is very dangerous;

11. Check the size when passing data to MySQL;

12. Applications need to connect to the database should use a general user account, only open a few necessary permissions to the user;

13. Use a specific ' escape character ' function in each programming interface (c C + + PHP Perl Java jdbc, etc.);

The use of MySQL database on the Internet must be used less data transmitted in plaintext, and SSL and SSH encryption method data transmission;

14. Learn to use the tcpdump and strings tools to view the security of transmitted data, such as Tcpdump-l-I eth0-w-src or DST Port 3306 | Strings To start MySQL database service with ordinary users;

15. Do not use the join symbol of the table, choose the parameter--skip-symbolic-links;

16. Be sure that only users starting the database service in the MySQL directory can have read and write permissions on the file;

17. You are not allowed to pay process or super permissions to unmanaged users, the Mysqladmin processlist can enumerate the currently executing query text; Super permissions can be used to sever client connections, change server running parameter status, and control copy database server;

18.file permissions are not paid to users other than administrators, to prevent the occurrence of load data '/etc/passwd ' into the table and then use Select to display the problem;

19. If you do not trust the services of the DNS service company, you can set only the IP numeric address in the Host name allow table;

20. Use the max_user_connections variable to allow the MYSQLD service process to limit the number of connections to a given account;

The 21.grant statement also supports resource control options;

22. Start the security option switch for the MYSQLD service process,--local-infile=0 or 1 if 0 the client program is unable to use local load data, an example of empowerment is grant insert (user) on Mysql.user to ' user _name ' @ ' host_name '; If you use the--skip-grant-tables system, no access control will be made to any user's access, but you can use mysqladmin flush-privileges or mysqladmin Reload to turn on access control by default, the show databases statement is open to all users and can be turned off with--skip-show-databases.

23. You will need to reset your password when encountering error 1045 (28000) Access Denied for user ' root ' @ ' localhost ' (Using password:no) Use the--skip-grant-tables parameter to start the MYSQLD, and then execute the mysql-u root mysql,mysql>update user set Password=password (' NewPassword ') where user= ' root '; mysql>flush privileges; Restart MySQL at the end.