Security Checklist
- Run these steps to check for sufficient privileges.
- Try
mysql -u root.
- If connected successfully to the server without being asked for a password, anyone can connect to the MySQL server as the MySQL
root user with full privileges!
- Use the
SHOW GRANTS statement to check which accounts have access to what.
- Then use the
REVOKE statement to remove those privileges that are not necessary.
- Run these steps to check the firewall.
- Scan ports from the Internet using a tool such as
nmap.
- Port 3306 should not be accessible from untrusted hosts.
- MySQL uses port 3306 by default.
- Run
telnet to connect to port 3306.
telnet server_host 3306
- If a connection is establised, the port is open, and should be closed on the firewall or router.
- Run these steps to check Web forms that access MySQL.
- Try to enter single and double quote marks in all Web forms.
- Investigate and fix any problems right away.
- Try to modify dynamic URLs by adding
%22 (‘"’), %23 (‘#’), and %27 (‘'’) to them.
- Try to enter characters, spaces, and special symbols rather than numbers in numeric fields.
- Check the size of data before passing it to MySQL.
What are the security-related mysqld options?
© 2007 John Michael Pierobon
Notes
![[OUTLINE]](../images/index.gif)
![[PREVIOUS]](../images/back.gif)
![[NEXT PAGE]](../images/next.gif)
![[CHAPTER 4]](../images/up.gif)