MySQL General Security Guide

Any
Use MySQL on a networked computer
Users should read this section carefully to avoid the most common security problems.

When discussing security, we emphasize the need to fully protect the security of the entire server host (
Not just MySQL
Server)
Prevent various types of attacks: eavesdropping, modification, replay, and denial of service. We cannot cover all aspects of content and measures here.

MySQL
Based on the access control list (ACL)
Perform Security Management on all connections, queries, and operations attempted by other users. MySQL
The client and server also support SSL-
Encrypted connection. Many of the concepts discussed here are not mysql
Proprietary; this idea applies to almost all applications.

Run MySQL
Follow the following instructions as much as possible:

·
Do not let anyone (
Besides MySQL


Root
Account)
Access

MySQL
In the database

User
Table!


This is critical.The encrypted password is MySQL.
The real password in.

Know user
The password listed in the table and can access the host accessed by this account.You can easily log on with this user

.

·
Learn MySQL
Access permission system. Grant
And revoke
Statement to control MySQL
. Do not grant the required permissions. You must not authorize all hosts.

Check List:

O
Try mysql-u Root
. If you can successfully connect to the server without any password, it means there is a problem. Anyone can act as mysqlroot
The user uses all of its permissions to connect to MySQL
Server! View MySQL
For installation instructions, pay special attention to setting the root
Password information.

O
Use show grants
Statement check to see who has accessed what. Then use revoke
Statement.

·
Do not save the plain text password to the database. If your computer is at risk, intruders can get all the passwords and use them. Instead, MD5 () should be used ()
, Sha1 ()
Or one-way hash function.

·
Do not select a password from the dictionary. There are dedicated programs to crack them. Even if "xfish98"

This password is also poor. And "duag98"

Much better, although it contains the same word "fish"
"
But from standard QWERTY
Enter the keyboard to the left. Another way is to use "mhall
"
From the sentence "Mary Had A Little Lamb.
"
The first character of each word. It is easy to remember and input, but it is difficult for people who do not know to guess.

·
Purchase a firewall. This protects you against at least 50% of the various software
. Set MySQL
Put it behind the firewall or in the isolation zone (DMZ)
.

Check List:

O
Try from Internet
Use NMAP
Tool scan port. MySQL
Default port 3306
. Never trust the host to access this port. Another method is to check whether MySQL
A simple way to open the port is to try the following command from a remote machine, where server_host
Yes MySQL
Host running on the server:

o                     shell> telnet server_host 3306

If a connection is obtained and some junk characters are obtained, the port is opened and should be disabled from the firewall or vro unless you have reasonable reasons to open it. If Telnet
If the connection is suspended or rejected, the port is blocked. This is what you want.

Do not trust any data input by users of the application. They can use web
Form, URL
Or build applications that enter special or escape character sequences to try to fool your code. If a user inputs ";
Drop database MySQL ;"
Make sure that your applications are secure. This is a special case, but when hackers use similar technologies, if you are not prepared, there may be large security vulnerabilities and data loss.

A common error is to protect only string data values. Be sure to check the numeric data. If you enter 234
When the application generates the query select * from table where
Id = 234
You can enter a value of 234 or 1 = 1.
Make the application generate the query select * from table where id = 234 or 1 = 1
. The result is that the server searches for each record in the table. This will expose each record and cause excessive server load. The simplest way to protect against such attacks is to use single quotes to cause numeric constants: Select * from table where id = '20160301'
. If you enter other information, it will all become part of the string. In the numeric section, MySQL
The string is automatically converted to a number and stripped from the additional non-numeric characters contained in the string.

Sometimes people think that if the database only contains data for public use, it does not need to be protected. This is incorrect. Even if you allow the display of any records in the database, you should still protect against DoS attacks (
For example, an attack based on the technology described in the previous section will waste resources on the server)
. Otherwise, your server no longer responds to valid users.

Check List:

O
Try Web
Format: single quotation marks and double quotation marks ('''
And '"')
. If you get any form of MySQL
Error. analyze the cause immediately.

O
Try modifying dynamic URLs
, You can add % 22 ('"')
, % 23 ('#')
And % 27 (''')
.

O
Try dynamic URL
To modify the data type. Use the characters in the preceding example, including numbers and character types. Your application should be secure enough to prevent such modifications and similar attacks.

O
Try to enter characters, spaces, and special characters. Do not enter numbers in numeric fields. Your application should pass them to MySQL
Previously, they were deleted or generated incorrectly. Pass unchecked values to MySQL
It's dangerous!

O
Send data to MySQL
Check its size before.

O
Use a user name other than the management account to connect the application to the database. Do not grant unnecessary access permissions to the application.

·
Many application programming interfaces provide special characters to escape data values. If correct, you can prevent the application user from entering the value of the statement that causes the application to generate unexpected results:

O MySQL C API
: Use mysql_real_escape_string () API
Call.

O MySQL ++
: Use escape to query a stream
And quote
Modifier.

O PHP
: Use mysql_escape_string ()
Functions are based on MySQL C API
. (
In PHP 4.0.3
Before,
Use addslashes ()
). In PHP
5
Medium,
You can use mysqli
Extension, which supports improved MySQL
Authentication Protocol and password, as well as statements written with placeholders.

O Perl DBI
: Use quote ()
Method or use a placeholder.

O Java JDBC
: Use a preparedstatement
Objects and placeholders.

Other programming interfaces have similar functions.

·
Do not use the Internet
Transfer plaintext (
Unencrypted)
Data. This information can be accessed by anyone who has enough time and ability to intercept it and use it for personal purposes. Instead, use encryption protocols such as SSL
Or SSH
. MySQL
Supports internal SSL
Connection, such as version 4.0.0
. You can use SSH
Port ing creates encryption for Communication (
And compress)
.

·
Learn to use tcpdump
And strings
Tool. In most cases, you can use the following command to check whether MySQL
Data streams are not encrypted:

·                shell> tcpdump -l -i eth0 -w - src or dst port 3306 | strings

(
This command is available in Linux
Can work, should be able to work after small modifications in other systems ).
Warning if you do not see the plaintext data, it does not necessarily indicate that the information is actually encrypted. If you need higher-level security, consult a security expert.