Securing mysql db.

There are several ways to secure your database. it will depends on many factors.

First you have to ensure your physical server is safe... if it is at home then is your home safety? if you are using a remote hosting, then you should determine whether the owners of that hosting are trustworthy people... so as i said it depends who you want to protect yourself against. if you are storing illegal content as: i don't know but whatever.., then, if you don't have your server in a bunker your db wont be physically safe from law as "they"(lol) can look wherever they want

Don't forget to figure out if your server is electrically safe, if the voltage raises in a way that it burns your motherboard, then you can forget of all the data that was being processed at that moment (and pray to get hard disk content back). Did you think about the coffee cup that you normally put on the top of your server while changing your passwords to keep those hackers away? did you think of the damages that it could cause if it were to reverse on the wires?

Now that you have determined whether the physical database is safe, you have to check for the network attacks.

Since you are connected to the internet, there is a common access point to your database.
you have then to check if your server is safe enough. you can protect it as much as you want, but if you are receiving your host account passwords through your mail, then you are again in trouble. haha.

You have got to think of security through this point if view: your "system" is as secure as the most insecure entity that has a direct or indirect access to it.

kindly bilibytes

I have deleted all posts in this thread other than the reply to the original question with some minor edits. There are a number of points to keep in mind here.

Firstly, this is a community of volunteers. The IT professionals who answer questions on this forum give of their free time to help others and while there is a sincere attempt to respond to all questions they are under no obligation to do so. This allows us to keep the site free of paid subscription membership and open to all.

If a disagreement arises in any thread then it is better to draw it to the attention of a forum moderator or if one is not available any site moderator or admin. We discourage these kind of disagreements being dealt out in thread postings as we don't feel future visitors need to see this kind of thing when they are simply searching for an answer to their question.

If in the future there is no answer to a question you post in a reasonable period of time (a day or two) then it is acceptable to post a 'Polite' reply to the thread to bump it up the forum list to try to gain attention to it. However, while we maintain our desire to answer all questions sometimes this does not happen and while this is regrettable the alternative is to turn this site into a 'pay to view' site which nobody wants.

If either of you would like to discuss this further feel free to contact me by PM and I will try to resolve any issues.

Mary
ADMIN

My suggestion to you is to make sure that you are using limited credentials at all points.

Meaning, if all someone is doing with your database is making SELECT statements, give them only select permissions. If an update is needing to be performed, perhaps a user has both SELECT and UPDATE permissions. With the MySQL Administrator you can assign permissions on a table level basis, meaning a user can have SELECT access to all except one table (or visa versa) and have SELECT UPDATE INSERT DELETE permissions on another.

Back to limited creds. Make sure only the people with root access or administrator access login as those users if needed. It's a shame that so many of us IT people are guilty of using an administrator login for everything. This exposes the system to a potential security risk. Also, be sure that admin/root passwords are changed regularly and stored in safe locations.

Make sure that if you are storing the database on a server that physical access to the server be limited. It's very easy to install a keylogger device if one has access to the physical computer.

SQL injection can be fixed with various methods, the most common is replacing certain characters like the ' or " with their escaped versions. ]\' or \" or something similar (depends on languages). PHP offers a function to do the mysql_real_escape_string($variable) for you.

Hopefully this helps you out and will get you started.

Hey blyx,

Many many thanks for this response. It's exactly what I was originally after. Thanks very much.