mysql database you need to pay special attention to the 23 items

Use MySQL, security issues can not fail to pay attention. The following are 23 notes for the MySQL prompt:

1. If the client-server connection needs to cross and pass an untrusted network, then you need to use an SSH tunnel to encrypt the connection's traffic.

2 set password statement to modify the user's password, three steps, first "mysql-u root" login database system, then "mysql> update mysql.user set password = password ('newpwd')", the final implementation of the "flush privileges "on it.

3. Need to beware of attacks, anti-eavesdropping, tampering, playback, denial of service, does not involve the availability and fault tolerance. For all connections, queries, and other operations using ACL-based access control list to complete the security measures. There are also some support for SSL connections.

4. Any user other than the root user is not allowed to access the user table in the MySQL master database;

Once encrypted, the encrypted user's password, stored in the user table, can be freely used by other users with the corresponding user name / password database.

5 with grant and revoke statements for user access control work;

6. Instead of using a plain text password, set the password using one-way hash functions such as md5 () and sha1 ()

7. Do not use the dictionary word to do the password;

8. Using a firewall to remove 50% of the external danger, let the database system hiding behind the firewall work, or placed in the DMZ area;

9. From the Internet using nmap to scan port 3306, telnet server_host 3306 can also be used to test the method can not be allowed from the untrusted network to access the database server 3306 TCP port, so you need to do the settings on the firewall or router;

10. In order to prevent malicious incoming malicious parameters, such as where ID = 234, but others enter the where ID = 234 OR 1 = 1 lead to the full display, so the use of web forms or "" to string, dynamic URL% 22 for double quotes,% 23 for the pound sign,% 27 for single quotes; passing unchecked values ​​to the mysql database is very dangerous;

Check the size when passing data to MySQL

12 applications need to connect to the database should use a normal user account, open only a few necessary permissions to the user;

13. Use specific 'escape character' functions in various programming interfaces (C ++ PHP Perl Java JDBC, etc);

In the mysql database on the Internet must use less clear data transmission, and use SSL and SSH encryption data transmission;

14. Learn to use the tcpdump and strings tools to view the security of your transmitted data, for example tcpdump -l -i eth0 -w -src or dst port 3306 | strings. To ordinary users to start mysql database services;

15. do not use to join the table symbols, optional parameters -skip-symbolic-links;

16. Confidence in the mysql directory only to start the database service users can have read and write permissions on the file;

17. Do not allow process or super privileges to non-administrative users, the mysqladmin processlist can list the currently executing query text; super authority can be used to cut off the client connection, change the status of the server operating parameters, copy and control the copy server database;

18.file permissions do not pay other than the administrator to prevent load data '/ etc / passwd' to select the table and then select the problem;

19. If you do not trust the service of the DNS service company, you can set only the IP numeric address in the host name allowance table;

Use the max_user_connections variable to make the mysqld service process limit the number of connections for a given account;

21.grant statement also supports resource control options;

22. Start the mysqld service process security options switch, -local-infile = 0 or 1 if 0 then the client program can not use local load data, an example of the empowerment grant insert (user) on mysql.user to 'user_name '@host_name'; If you use -skip-grant-tablesystem will not make any access control to any user, but you can use mysqladmin flush-privileges or mysqladmin reload to open the access control; The default is the show databases statement for all users Open, you can use -skip-show-databases to shut down.

23. When you get Error 1045 (28000) Access Denied for user 'root' @ localhost '(Using password: NO), you need to reset your password by starting mysqld with the -skip-grant-tables parameter, Then execute mysql-u root mysql, mysql> update user set password = password ('newpassword') where user = 'root'; mysql> Flush privileges ;, finally restart mysql.