When using MySQL, security issues cannot be ignored. The following are 23 notes prompted by MySQL:
1. If the connection between the client and the server needs to span and pass through an untrusted network, then you need to use an SSH tunnel to encrypt the communication of the connection.
2. Use the set password statement to change the user's password. In three steps, first log in to the database system with "mysql -u root", then "mysql> update mysql.user set password=password('newpwd')", and finally execute "flush" privileges" will do.
3. Attacks that need to be guarded against include anti-eavesdropping, tampering, replay, denial of service, etc., which do not involve availability and fault tolerance. All connections, queries, and other operations are completed using security measures based on ACL (access control list). There is some support for SSL connections as well.
4. Any other user except the root user is not allowed to access the user table in the mysql main database;
once the encrypted user password stored in the user table is leaked, others can use the corresponding database with the user name/password at will. ;
5. Use grant and revoke statements to perform user access control;
6. Do not use plain text passwords, but use one-way hash functions such as md5() and sha1() to set passwords;
7. Do not use passwords in the dictionary characters as the password;
8. Use a firewall to remove 50% of external dangers, and let the database system work behind the firewall, or place it in the DMZ area;
9. Use nmap to scan port 3306 from the Internet, or use telnet server_host The 3306 method test cannot allow access to TCP port 3306 of the database server from an untrusted network, so settings need to be made on the firewall or router;
10. In order to prevent illegal parameters from being maliciously passed in, such as where ID=234, others But entering where ID=234 OR 1=1 causes all to be displayed, so use '' or "" to use strings in the web form, and add %22 to the dynamic URL to represent double quotes, %23 to represent the pound sign, and %27 Represents a single quote; it is very dangerous to pass unchecked values to the mysql database;
11. Check the size when passing data to mysql;
12. Applications that need to connect to the database should use general user accounts, and only open a few necessary ones Permissions are given to the user;
13. Use specific 'escape character' functions in various programming interfaces (C C++ PHP Perl Java JDBC, etc.);
when using the mysql database on the Internet, be sure to transmit less plain text data and use SSL and SSH. Encrypted data is transmitted;
14. Learn to use tcpdump and strings tools to check the security of transmitted data, such as tcpdump -l -i eth0 -w -src or dst port 3306 strings. Start the mysql database service as an ordinary user;
15. Do not use the link symbol to the table, select the parameter --skip-symbolic-links;
16. Make sure that only the user who starts the database service in the mysql directory can read and read files. Write permission;
17. Process or super permissions are not allowed to be granted to non-administrative users. The mysqladmin processlist can list the currently executed query text; super permissions can be used to cut off client connections, change the status of server operating parameters, and control copy and replication databases. Server;
18. File permissions are not granted to users other than administrators to prevent the problem of loading data '/etc/passwd' into the table and then using select to display it;
19. If you do not trust the services of the DNS service company, you can Only IP numeric addresses are set in the name permission table;
20. Use the max_user_connections variable to enable the mysqld service process to limit the number of connections for a specified account;
21. The grant statement also supports resource control options;
22. Start the security option switch of the mysqld service process, --local-infile=0 or 1. If it is 0, the client program cannot use local load data. An example of grant grant insert(user) on mysql.user to 'user_name'@'host_name' ; if using -- The skip-grant-tables system will not implement any access control for any user's access, but you can use mysqladmin flush-privileges or mysqladmin reload to enable access control; by default, the show databases statement is open to all users, and you can use --skip- show-databases to turn it off.
23. When encountering the Error 1045 (28000) Access Denied for user 'root'@'localhost' (Using password:NO) error, you need to reset the password. The specific method is: first start with the --skip-grant-tables parameter mysqld, then execute mysql -u root mysql,mysql>update user set password=password('newpassword') where user='root';mysql>Flush privileges;, and finally restart mysql.