When using MySQL, you must pay attention to security issues. The following are 23 notes for MySQL:
1. If the connection between the client and the server needs to span and pass through an untrusted network, you need to use an SSH tunnel to encrypt the communication between the client and the server.
2. Use the set password statement to modify the user's password. In three steps, first "mysql-u root" is logged into the database system, and then "mysql> update mysql. user set password = password ('newpwd') ", and then execute" flush privileges.
3. Attacks that require protection against eavesdropping, tampering, playback, and denial of service do not involve availability or fault tolerance. Use ACL-based access control lists for all connections, queries, and other operations. There are also some support for SSL connections.
4. Other users except root users are not allowed to access the user table in the mysql primary database;
Once the encrypted user password stored in the user table is disclosed, other users can use the user name/password-related database at will;
5. Use grant and revoke statements for user access control;
6. Instead of using a plaintext password, you can use md5 () and sha1 () to set the password;
7. Do not use words in the dictionary as passwords;
8. Use a firewall to remove 50% of external risks, so that the database system can work behind the firewall or be placed in the DMZ area;
9. You can use nmap to scan port 3306 over the Internet. You can also use telnet server_host 3306 to test the function. You cannot access port 3306 of the database server from a untrusted network, therefore, you need to configure the firewall or vro;
10. To prevent malicious input of illegal parameters, for example, where ID = 234, others enter where ID = 234 OR 1 = 1 to display all of them, therefore, use ''or" "In web forms to use strings. Add % 22 to dynamic URLs to indicate double quotation marks, % 23 to indicate the well number, and % 27 to indicate single quotation marks; it is very dangerous to pass unchecked values to the mysql database;
11. Check the size when passing data to mysql;
12. To connect an application to a database, you should use a general user account and grant only a few necessary permissions to the user;
13. Use the specific 'escape characters' function in each programming interface (C ++ PHP Perl Java JDBC, etc;
When using mysql databases over the internet, you must transmit less plain text data, but use SSL and SSH encryption for data transmission;
14. Learn to use tcpdump and strings tools to view the security of transmitted data, such as tcpdump-l-I eth0-w-src or dst port 3306 | strings. Start the mysql database service as a common user;
15. Do not use the join symbol of the table. The selected parameter is skip-symbolic-links;
16. Make sure that only the user who starts the Database Service can have the read and write permissions on the file in the mysql directory;
17. Do not grant process or super permissions to non-administrator users. The mysqladmin processlist can list the query text currently executed; the super permission can be used to disconnect the client, change the running parameter status of the server, and control the server that copies and copies the database;
18. The file permission is not paid to users other than the administrator, preventing the problem of loading data '/etc/passwd' to the table and then displaying it with select;
19. If you do not trust the services of the DNS service company, you can set only the IP address in the Host Name table;
20. Use the max_user_connections variable to enable the mysqld service process to limit the number of connections to a specified account;
21. The grant statement also supports resource control options;
22. Start the Security Option Switch of the mysqld service process. -- local-infile = 0 or 1 if it is 0, the client program cannot use local load data. An example of granting permissions is grant insert (user) on mysql. user to 'user _ name' @ 'host _ name'; if you use -- skip-grant-tables, the system will not control access to any user, however, you can use mysqladmin flush-privileges or mysqladmin reload to enable access control. By default, the show databases statement is open to all users. You can use -- skip-show-databases to disable it.
23. When an Error occurs in Error 1045 (28000) Access Denied for user 'root' @ 'localhost' (Using password: NO), you need to reset the password: start mysqld with the -- skip-grant-tables parameter, and then execute mysql-u root mysql, mysql> update user set password = password ('newpassword') where user = 'root '; mysql> Flush privileges; and then restart mysql.