MOCKSTACKS
EN
Questions And Answers

More Tutorials









MYSQL Security via GRANTs

Best Practice


Limit root (and any other SUPER-privileged user) to

GRANT ... TO root@localhost ...

That prevents access from other servers. You should hand out SUPER to very few people, and they should be aware of their responsibility. The application should not have SUPER.

Limit application logins to the one database it uses:

GRANT ... ON dbname.* ...

That way, someone who hacks into the application code can't get past dbname. This can be further refined via either of these:

GRANT SELECT ON dname.* ... -- "read only"
GRANT ... ON dname.tblname ... -- "just one table"

The readonly may also need 'safe' things like

GRANT SELECT, CREATE TEMPORARY TABLE ON dname.* ... -- "read only"

As you say, there is no absolute security. My point here is there you can do a few things to slow hackers down. (Same goes for honest people goofing.)

In rare cases, you may need the application to do something available only to root. this can be done via a "Stored Procedure" that has SECURITY DEFINER (and root defines it). That will expose only what the SP does, which might, for example, be one particular action on one particular table.

Host (of user@host)


The "host" can be either a host name or an IP address. Also, it can involve wild cards.

GRANT SELECT ON db.* TO sam@'my.domain.com' IDENTIFIED BY 'foo';

Examples: Note: these usually need to be quoted

localhost -- the same machine as mysqld
'my.domain.com' -- a specific domain; this involves a lookup
'11.22.33.44' -- a specific IP address
'192.168.1.%' -- wild card for trailing part of IP address. (192.168.% and 10.% and 11.% are
"internal" ip addresses.)

Using localhost relies on the security of the server. For best practice root should only be allowed in through localhost. In some cases, these mean the same thing: 0.0.0.1 and ::1.

Conclusion

In this page (written and validated by ) you learned about MYSQL Security via GRANTs . What's Next? If you are interested in completing MYSQL tutorial, your next topic will be learning about: MYSQL Change Password.



Incorrect info or code snippet? We take very seriously the accuracy of the information provided on our website. We also make sure to test all snippets and examples provided for each section. If you find any incorrect information, please send us an email about the issue: mockstacks@gmail.com.


Share On:


Mockstacks was launched to help beginners learn programming languages; the site is optimized with no Ads as, Ads might slow down the performance. We also don't track any personal information; we also don't collect any kind of data unless the user provided us a corrected information. Almost all examples have been tested. Tutorials, references, and examples are constantly reviewed to avoid errors, but we cannot warrant full correctness of all content. By using Mockstacks.com, you agree to have read and accepted our terms of use, cookies and privacy policy.