This page has been robot translated, sorry for typos if any. Original content here.

General Protection Recommendations

Anyone using MySQL (or any other SQL server) on a computer connected to the Internet should read this consultation in order to avoid common security problems.

However, it is necessary to emphasize the importance of fully protecting the server (not just the MySQL server) against all types of attacks used. In this article, unfortunately, it is not possible to cover all aspects of security problems, but the most important problems are considered quite fully.

MySQL uses security based on Access Control Lists ( ACLs ) for all connections, queries, and other operations that a user may attempt to perform. There is also some support for SSL- encrypted connections between MySQL clients and servers. Many of the concepts discussed in this article are not specific to MySQL and can be applied to all applications.

When MySQL is running, try to follow these guidelines:

Do not give anyone access (except for the MySQL administrator) to the USER table in the MySQL database . Encrypted password is the real password in MySQL . If you know the password listed in the USER table for this user, you can easily log in as this user if you have access to the computer listed for this account.

Examine the MySQL access privilege system. The GRANT and REVOKE commands are used to control access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all computers on a network. Inspection commands:

1. Try mysql -u root . If you can connect to the server without asking for a password, then you have a problem. Anyone can connect to your MySQL server as a MySQL root user with full privileges. Carefully read the MySQL installation commands, paying attention to the password setting options.

2. Use the SHOW GRANTS and check commands to see who has access to which. Remove redundant privileges using the REVOKE command.

Do not store passwords in clear text in your database. When your computer is hacked, the intruder can get a full list.

passwords and use them. Instead, use the MD5 algorithm or any other one-way hash function.

Do not select passwords from dictionaries. There are special programs to pick them up. Even passwords like "xfish98" are very bad. Much better is duag98, which contains the same word fish but typed one key left on the keyboard. Another method is to use passwords like UMBR, which consists of the first words in the sentence Mary there was a big kid. "Such passwords are easy to remember and type, but difficult for an attacker to pick up.

Use firewall. It protects you from at least 50% of exploited vulnerabilities in any software. MySQL uses port 3306 by default. This port should be accessible only from trusted computers. The easiest way to check if your MySQL port is open is to try the following command from some remote machine, where server_host is the host name of your MySQL server: telnet server_host 3306

Do not trust any data entered by users. They can trick your code by typing special characters in a Web form or URL. Make sure your application stays safe if the user enters something like: DROP DATABASE mysql ;. This is a critical example, but many security leaks and data loss can occur due to hackers using similar methods. Also, do not forget to check the numeric data. A common mistake is to protect only strings. Sometimes people think that if a database contains only publicly available data, it should not be protected. It is not right. At the very least, a DoS attack can be performed against such databases. The easiest way to protect against this type of attack is to use apostrophes around numeric constants:

SELECT * FROM table WHERE ID = '234' . MySQL automatically converts this string to a number and removes all non-numeric characters in the query. Checking:

All Web Applications:

1. Attempt to enter ' ' '' 'in your Web forms. If you get any kind of MySQL error, investigate this problem right away.

2. Attempt to change URL by adding% 22 (' '),% 23 ('#'),% 27 ' ' '.

3. Attempt to change data types in dynamic URLs from numeric characters to characters given in previous examples. Your application should be safe against this and similar attacks.

4. Attempt to enter characters, spaces, and special characters instead of numbers in numeric fields. Your application should delete them before accepting MySQL, or your application should generate an error.

5. Verify data sizes before accepting them to MySQL.

6. Your application must connect to a database using a user other than the one you are using for administrative purposes. Do not give your application more rights than those that they really need.

PHP users:

Check the addslashes () function. After PHP 4.0.3, the function Mysql_escape_string () is available, which is based on a function with the same name in the MySQL C API.

MySQL C API users:

Check the API request for mysql_escape_string ().

MySQL ++ users :

Check transitions and modifier quotes in query streams.

Perl DBI Users :

Check the quote () method or use structural zero (placeholders).

Java JDBC users :

Use the PreparedStatement object and placeholders.

Do not transmit unencrypted data over the Internet. This data is available to anyone who has the time and ability to intercept them and use them for their own purposes. Instead, use an encrypted protocol such as SSL or SSH. MySQL supports internal SSL version 3.23.9. SSH can be used to create encrypted tunnels.

Learn to use tcpdump. In most cases, you can check whether MySQL data streams are unencrypted using the following command:

shell> tcpdump -l -i eth0 -w - src or dst port 3306 | strings

Sometimes, to protect the script from hacking the site, you need to pay attention not to specific vulnerabilities (but, of course, you need to fix them), but to protect the site as a whole (in fact, prevent vulnerabilities before they are found). In this article I will tell you what you need to periodically do over your site to protect it from hacking.

If you use any script available for free download, then watch out for bugtracker and periodically update. Newer versions often fix serious vulnerabilities found in previous versions.

Also, if your website indicates which script you are using, then remove the version number from this information. If the hacker does not know what version you have, he may not use the vulnerability in the version of the script that you have. But, I repeat, only “can”, so that it is still updated.

Now let's go through the errors that may be in your self-made script.

1. The password is stored in a file that can be downloaded by a hacker.

If access details are contained in a file, then it is necessary to protect it from downloading. Check whether you can open the file containing the username and password through the address bar of the browser!

2. The password is stored in a file that search engines index.

By correcting the previous error, you will also correct this one at the same time - sometimes the login and password are stored in files that Yandex or Google can easily find! Without correcting this error, you risk the fact that the hacker does not even specifically hack your website, but simply finds the victim through a search engine and hacks the first unsuccessful web master! Do not turn out to be them!

By the way, you can close access to search engines through robots.txt. Completely close access to the site should not (and then where will the visitors come from?), But should only be for those directories that the visitor should not see, and, therefore, the search robot.

3. Password is stored unencrypted.

Password must be stored in encrypted form. The most preferred type is hashing (you can use MD5 or SHA1 algorithms), since it is impossible to directly obtain a password from the hash. But there are online hash databases in which the password can be stored to your hash, so use extraordinary passwords and passwords from a random set of characters.

For more confidence in the protection of your site, read the articles on hacking, which are freely available published on the hack-resources, and try to apply the techniques described there, as they say, "on yourself."