Database Security

[ajoo]

Hi all,

 

An article on wikihow on Secure Login Script, in Part 2, under the heading Configure the MySql Database states that we can create previliges for users. It then goes on to create a user with details : 

 

USER : "sec_user".  

Password "eKcGZr... WU"

 

It then states that "Remember it doesn't need to be  a password that you can remember so make it as complicated as possible."

 

The question is regarding this last statement. Why don't we need to remember this password?

 

Also I would like to ask what other security measure do we need to take as regards the MySql database? Also things like settings in the config files etc.

 

Thanks all !

 

 

[requinix]

Because you aren't going to log into MySQL yourself. It's for the code, and if you ever need to know what it is you can simply go into the code and find it.

 

Also I would like to ask what other security measure do we need to take as regards the MySql database? Also things like settings in the config files etc.

There's not a whole lot, regarding MySQL specifically. Make sure your users have as limited access as you can get away with: simple read and write users shouldn't need to create databases or alter tables, for example.

 

There aren't really security settings in the config files...

[ajoo]

Hi requinix, 

 

Thanks for the reply. I think I get it but just to be doubly sure I'ld like to ask some more.

 

 

Because you aren't going to log into MySQL yourself.

 Do you mean like log into using phpMyAdmin? Would setting a password in code affect my logging into phpMyAdmin ?? I don't think so but please confirm. 

 

 

 

simple read and write users shouldn't need to create databases or alter tables

What if my application is altering or updating the tables based on the user interaction -  for eg. inserting the scores of the user in a database or altering them? 

Now that would tantamount to a write operation and so would I need to allow INSERT and UPDATE privilege to the user? 

 

Thanks for the reply and look forward to some more clarifications.

Edited February 23, 2015 by ajoo

[Ch0cu3r]

 

Do you mean like log into using phpMyAdmin? Would setting a password in code affect my logging into phpMyAdmin ?? I don't think so but please confirm.

No. But you still need to give the correct password to phpmyadmin.

 

 

What if my application is altering or updating the tables based on the user interaction

You misunderstood what requinix meant by alter table. He meant users should not be able to alter the structure of the table (ie, add/remove columns from the table). A simple read/write user should only be allowed todo select, insert, update and delete operations.

[rwhite35]

Actually I think OP is confusing the word "user" in this instance.  In your original post, the "user" being referred to is between server (i.e. apache) and a client-server (mysql).  Where a (privileged) "user"could be root or admin or some other entity you setup when creating the database.  

 

Later in your second post, I believe you are thinking about a "user" as in a web user who is filling in some form from a web page.  Or some entity/person who has authorization to run queries against the database though your scripts.  Like updating a table.

 

The connection is owned by the client-server (like MySQL), but the person doing the action (filling in a form and submitting it) is simply an un-priviledge web user. MySQL is a client-server to your web user who has authorization to use do some task, like updating a table.  

 

Thats how I'm reading this thread anyway.