This page has been robot translated, sorry for typos if any. Original content here.

General Protection Recommendations

Anyone using MySQL (or any other SQL server) on a computer connected to the Internet should read this consultation to avoid the most common protection problems.

However, it is necessary to emphasize the importance of full server protection (not just a MySQL server) against all types of attacks used. In this article, unfortunately, it is not possible to cover all aspects of security problems, but the most important problems are considered quite fully.

MySQL uses security based on Access Control Lists ( ACLs ) for all connections, requests, and other operations that a user can attempt to perform. There is also some support for SSL- encrypted connections between MySQL clients and servers. Many of the concepts discussed in this article are not specific to MySQL and can be applied to all applications.

When MySQL is started, try to follow these recommendations:

Do not give anyone access (except for the MySQL administrator) to the USER table in the MySQL database . The encrypted password is the real password in MySQL . If you know the password listed in the USER table for this user, you can easily log in as this user if you have access to the computer listed for this account.

Study the MySQL access privilege system. The commands GRANT and REVOKE are used to control access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all computers on the network. Checklist commands:

1. Try mysql -u root . If you can connect to the server without requesting a password, then you have a problem. Anyone can connect to your MySQL server as a MySQL root user with full privileges. Carefully read the MySQL installation commands, paying attention to the password setting options.

2. Use the SHOW GRANTS and check commands to see who has access to which one. Remove unnecessary privileges using the REVOKE command.

Do not store passwords as plain text in your database. When your computer is hacked, an intruder can get the full list

passwords and use them. Instead, use the MD5 algorithm or any other one based on a one-way hash function.

Do not choose passwords from the dictionaries. There are special programs to select them. Even passwords like "xfish98" are very bad. Much better is the "duag98", which contains the same word "fish" but is printed on one key to the left on the keyboard.Another method is to use passwords such as "UIBBR", which consists of the first words in the sentence "Mary there was a big child. "Such passwords are easy to remember and print, but it is difficult to pick up an attacker.

Use the Firewall. It will protect you from at least 50% of exploited vulnerabilities in any software. MySQL uses the default port of 3306. This port must be accessible only from trusted computers. The easiest way to verify whether your MySQL port is open is to try the following command from some remote machine, where server_host is the hostname of your MySQL server: telnet server_host 3306

Do not trust any data entered by users. They can deceive your code by entering special characters in the Web form or URL. Make sure that your application remains secure if the user types something like: DROP DATABASE mysql ;. This is a critical example, but many security leaks and data loss can occur due to hackers using similar methods. Also, do not forget to check the numeric data. A common error is to protect only the rows. Sometimes people think that if the database contains only publicly available data, it should not be protected. It is not right. At the very least, a DoS attack can be performed against such databases. The easiest way to protect against this type of attack is to use apostrophes around numeric constants:

SELECT * FROM table WHERE ID = '234' . MySQL automatically converts this string to a number and removes all non-numeric characters in the query. We check:

All Web applications:

1. An attempt to enter ' ' '' ' ' in your Web forms. If you get any kind of MySQL error, immediately investigate this problem.

2. Attempt to change the URL by adding% 22 (' " '),% 23 ('#'),% 27 ' ' '.

3. Attempt to change data types in dynamic URLs from numeric characters to the characters given in the previous examples. Your application should be safe against this and similar attacks.

4. Attempt to enter characters, spaces, and special characters instead of numbers in numeric fields. Your application must remove them before they are accepted by MySQL, or your application should issue an error.

5. Check the data sizes before accepting their MySQL.

6. Your application must connect to the database using a user other than the one you use for administrative purposes. Do not give your application more rights than the ones they really need.

PHP Users:

Check the addslashes () function. After PHP 4.0.3, the Mysql_escape_string () function is available, which is based on a function with the same name in the MySQL C API.

MySQL C API users:

Check the API request mysql_escape_string ().

MySQL ++ users :

Check modifier transitions and quotes in query threads.

Users of Perl DBI:

Check the quote () method or use the placeholders.

Java JDBC Users :

Use the PreparedStatement and placeholders object.

Do not send unencrypted data over the Internet. This data is available to anyone who has the time and ability to intercept them and use them for their own purposes. Instead, use an encrypted protocol such as SSL or SSH. MySQL supports the internal SSL version 3.23.9. SSH can be used to create encrypted tunnels.

Learn how to use tcpdump. In most cases, you can check whether the MySQL data streams are actually unencrypted using the following command:

shell> tcpdump -l -i eth0 -w - src or dst port 3306 | strings


Sometimes, to protect the script from hacking a site, you need to pay attention not to specific vulnerabilities (but, of course, you need to fix them), but to protect the site as a whole (in fact, prevent vulnerabilities before they are found). In this article I will tell you what you need to periodically do over your site in order to protect it from hacking.

If you use any script available for free download, then watch for bugtracker and periodically update. The new versions often fix serious vulnerabilities found in previous versions.

Also, if you specify on your site which script you use, then delete the version number from this information. If the hacker does not know what version you have, he may not use the vulnerability in the version of the script that you have. But, again, only "can", so that still be updated.

Now let's look at the mistakes that may be in your self-made script.

1. The password is stored in a file that can be downloaded by a hacker

If the details of access are contained in the file, then it is necessary to protect it from downloading. Check if you can open a file containing your login and password through the browser's address bar!

2. The password is stored in a file that is indexed by search engines

Correcting the previous error, you at the same time correct this one - sometimes the login and password are stored in files that are easily found by Yandex or Google! If you do not correct this mistake, you risk that the hacker does not even specifically hack your site, but simply finds a victim through the search engine and hacked the first failed unsuccessful web-master! Do not prove yourself to them!

By the way, you can block access to search engines through robots.txt. Completely close access to the site should not be (and where will the visitors come from?), But only for those directories that the visitor should not see, and therefore the search robot.

3. The password is stored in an unencrypted form

The password must be stored in encrypted form. The most preferable kind is hashing (MD5 or SHA1 algorithms can be used), because it is impossible to get a password from the hash directly. But there are online hashes databases in which the password can be stored and to your hash, so use non-ordinary passwords and passwords from a random character set.

For more confidence in the reliability of the protection of your site, read the hacking articles that are freely available on hack resources, and try to apply the methods outlined there, as they say, "on yourself."