Use MySQL, security issues can not fail to pay attention. The following are 23 notes for the MySQL prompt:
1. If the client-server connection needs to cross and pass an untrusted network, then you need to use an SSH tunnel to encrypt the connection's traffic.
2. Set password statement to modify the user's password, three steps, first "mysql-u root" login database system, then "mysql> update mysql.user set password = password ('newpwd')", the final implementation of "flush privileges" It's fine
3. Need to beware of attacks, anti-eavesdropping, tampering, playback, denial of service, does not involve the availability and fault tolerance. For all connections, queries, and other operations using ACL-based access control list to complete the security measures. There are also some support for SSL connections.
4. Any user other than the root user is not permitted to access the user table in the mysql main database;
Once encrypted, the encrypted user's password, stored in the user table, can be freely used by other users with the corresponding user name / password database.
5. Use grant and revoke statements for user access control work;
6. Instead of using plain text passwords, set the passcode using one-way hash functions such as md5 () and sha1 ()
7. Do not use the dictionary word to do the password;
8. Use a firewall to remove 50% of the external danger, let the database system hiding behind the firewall work, or placed in the DMZ area;
9. From the Internet using nmap to scan port 3306, telnet server_host 3306 can also be used to test the method can not be allowed from the untrusted network to access the database server 3306 TCP port, you need to do the settings on the firewall or router;
10. In order to prevent the malicious incoming malicious parameters, such as where ID = 234, but others enter the where ID = 234 OR 1 = 1 lead to all displayed, so the use of the web form 'or' to string, dynamic URL Add% 22 for double quotes,% 23 for pound sign,% 27 for single quotation mark; passing unchecked values to the mysql database is very dangerous;
11. Check the size when passing data to mysql;
12. Applications need to connect to the database should use a normal user account, open only a few necessary permissions to the user;
13. Use specific 'escape character' functions in various programming interfaces (C ++ PHP Perl Java JDBC, etc);
In the mysql database on the Internet must use less clear data transmission, and use SSL and SSH encryption data transmission;
14. Learn to use the tcpdump and strings tools to view the security of your transmitted data, for example tcpdump -l -i eth0 -w -src or dst port 3306 | strings. To ordinary users to start mysql database services;
15. Not used to join the table symbols, optional parameters --skip-symbolic-links;
16. Confidence in the mysql directory only to start the database service users can read and write the file permissions;
17. Not allowed to process or super authority to non-administrative users, the mysqladmin processlist can list the currently executing query text; super authority can be used to cut off the client connection, change the status of the server operating parameters, copy and control the copy server database;
18.file permissions do not pay other than the administrator to prevent load data '/ etc / passwd' to select the table and then select the problem;
19. If you do not believe in the services of a DNS service company, you can set only the IP numeric address in the host name allowance table;
20. Use the max_user_connections variable to make the mysqld service process limit the number of connections for a given account;
21.grant statement also supports resource control options;
twenty two. Start mysqld service process security options switch, - local-infile = 0 or 1 if 0 then the client program can not use local load data, an example of the empowerment grant insert (user) on mysql.user to 'user_name' @ 'host_name'; If you use the --skip-grant-tables system will not make any access control to any user, but you can use mysqladmin flush-privileges or mysqladmin reload to open the access control; The default is the show databases statement for all Users open, you can use --skip-show-databases to shut down.
twenty three. When you get Error 1045 (28000) Access Denied user 'root' @ 'localhost' (Using password: NO), you need to reset your password by starting mysqld with the --skip-grant-tables parameter, Then execute mysql-u root mysql, mysql> update user set password = password ('newpassword') where user = 'root'; mysql> Flush privileges ;, finally restart mysql on it.