473,326 Members | 2,111 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

MySQL Sanity check

OK. The below text is from the MySQL website.

"When you connect to a MySQL server, you should use a password. The password
is not transmitted in clear text over the connection. Password handling
during the client connection sequence was upgraded in MySQL 4.1.1 to be very
secure"

Has anyone actually tested this by "sniffing" their packets during use?
Also, does anybody know if this applies when using VB to connect using the
connection string?

This may be totally obvious but I was just looking for a 2nd opinion. I
have not yet "sniffed" my own packets yet as currently, my DB server is
deader than dead.

--

Bob

--------------------------------------
I'll have a B please Bob.
Nov 21 '05 #1
10 1480
"Bob Hollness" <bo*@blockbuster.com> wrote in
news:eL**************@TK2MSFTNGP14.phx.gbl:
OK. The below text is from the MySQL website.

"When you connect to a MySQL server, you should use a password. The
password is not transmitted in clear text over the connection.
Password handling during the client connection sequence was upgraded
in MySQL 4.1.1 to be very secure"
The reason why MySQL recommends a passport because by default I believe
there is no password set (or a very basic password). MySQL is typically
setup to use hostname filters instead of passwords.
Has anyone actually tested this by "sniffing" their packets during
use? Also, does anybody know if this applies when using VB to connect
using the connection string?


MySQL stores their passwords as hashes, so it's impossible to retrieve the
original password. I haven't sniffed MySQL packets before, but I believe
they send a password hash rather than a clear text password.

In anycase, I haven't heard of a MySQL vulnerability lately... so if your
MySQL server is dead, could be a configuration issue on your side.

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
Nov 21 '05 #2
Thanks. I am connecting to my server over the internet and it will not
always be from the same machine. this is why I am using passwords. My
server is only dead because i broke it trying to upgrade something!

The question i wanted clarifying was this. Is my connection string that I
generate in code using VB, handing over the internet as plain text or does
it interface with the local MySQL dll's that you have to install, and then
do they in turn check the password securely?

--
Bob Hollness

-------------------------------------
I'll have a B please Bob

"Lucas Tam" <RE********@rogers.com> wrote in message
news:Xn***************************@140.99.99.130.. .
"Bob Hollness" <bo*@blockbuster.com> wrote in
news:eL**************@TK2MSFTNGP14.phx.gbl:
OK. The below text is from the MySQL website.

"When you connect to a MySQL server, you should use a password. The
password is not transmitted in clear text over the connection.
Password handling during the client connection sequence was upgraded
in MySQL 4.1.1 to be very secure"


The reason why MySQL recommends a passport because by default I believe
there is no password set (or a very basic password). MySQL is typically
setup to use hostname filters instead of passwords.
Has anyone actually tested this by "sniffing" their packets during
use? Also, does anybody know if this applies when using VB to connect
using the connection string?


MySQL stores their passwords as hashes, so it's impossible to retrieve the
original password. I haven't sniffed MySQL packets before, but I believe
they send a password hash rather than a clear text password.

In anycase, I haven't heard of a MySQL vulnerability lately... so if your
MySQL server is dead, could be a configuration issue on your side.

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/

Nov 21 '05 #3
"Bob Hollness" <bo*@blockbuster.com> wrote in
news:eO**************@TK2MSFTNGP11.phx.gbl:
The question i wanted clarifying was this. Is my connection string
that I generate in code using VB, handing over the internet as plain
text or does it interface with the local MySQL dll's that you have to
install, and then do they in turn check the password securely?


The connection string is assigned to your MySQL .NET Database Classes
right? In that case, the connection string is passed to the MySQL.NET DLLs,
encrypted, then sent over the internet.

I'm pretty sure the text is encrypted (or at least Hashed). You can verify
this by running a packet sniffer.

If you need a free sniffer, check out Ethereal. It's very easy to setup and
you can start sniffing your packets in ~5 minutes! : )

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
Nov 21 '05 #4
This is my connection string. Is this what you was referring to?
MAConn.CursorLocation = ADODB.CursorLocationEnum.adUseServer
MAConn.ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" _
& "SERVER=IPADDRESS;" _
& "PORT=3306;" _
& "DATABASE=MyDB;" _
& "UID=" & "testuser" & ";" _
& "PWD=" & "123abc" & ";" _
& "OPTION=" & 1 + 2 + 8 + 32 + 2048 + 16384

MAConn.Open()

Thanks for the help. I am not yet using the .NET connecter from MySQL,
still using the ODBC dll's.

--

Bob

--------------------------------------
I'll have a B please Bob.

"Lucas Tam" <RE********@rogers.com> wrote in message
news:Xn***************************@140.99.99.130.. .
"Bob Hollness" <bo*@blockbuster.com> wrote in
news:eO**************@TK2MSFTNGP11.phx.gbl:
The question i wanted clarifying was this. Is my connection string
that I generate in code using VB, handing over the internet as plain
text or does it interface with the local MySQL dll's that you have to
install, and then do they in turn check the password securely?


The connection string is assigned to your MySQL .NET Database Classes
right? In that case, the connection string is passed to the MySQL.NET
DLLs,
encrypted, then sent over the internet.

I'm pretty sure the text is encrypted (or at least Hashed). You can verify
this by running a packet sniffer.

If you need a free sniffer, check out Ethereal. It's very easy to setup
and
you can start sniffing your packets in ~5 minutes! : )

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/

Nov 21 '05 #5
"Bob Hollness" <bo*@blockbuster.com> wrote in news:u511X6n4EHA.208
@TK2MSFTNGP12.phx.gbl:
This is my connection string. Is this what you was referring to?
MAConn.CursorLocation = ADODB.CursorLocationEnum.adUseServer
MAConn.ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" _
& "SERVER=IPADDRESS;" _
& "PORT=3306;" _
& "DATABASE=MyDB;" _
& "UID=" & "testuser" & ";" _
& "PWD=" & "123abc" & ";" _
& "OPTION=" & 1 + 2 + 8 + 32 + 2048 + 16384

MAConn.Open()

Thanks for the help. I am not yet using the .NET connecter from MySQL,
still using the ODBC dll's.


Yes, that's the connection string I'm referring to. The ODBC DLLs parse the
string out and populate connection parameters... so I'm 95% sure that the
username/password is not sent as clear text.

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
Nov 21 '05 #6
excellent. thanks for you help. hopefully i will have my server working
again today so i can sniff the packets.

--

Bob

--------------------------------------
I'll have a B please Bob.

"Lucas Tam" <RE********@rogers.com> wrote in message
news:Xn***************************@140.99.99.130.. .
"Bob Hollness" <bo*@blockbuster.com> wrote in news:u511X6n4EHA.208
@TK2MSFTNGP12.phx.gbl:
This is my connection string. Is this what you was referring to?
MAConn.CursorLocation = ADODB.CursorLocationEnum.adUseServer
MAConn.ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" _
& "SERVER=IPADDRESS;" _
& "PORT=3306;" _
& "DATABASE=MyDB;" _
& "UID=" & "testuser" & ";" _
& "PWD=" & "123abc" & ";" _
& "OPTION=" & 1 + 2 + 8 + 32 + 2048 + 16384

MAConn.Open()

Thanks for the help. I am not yet using the .NET connecter from MySQL,
still using the ODBC dll's.


Yes, that's the connection string I'm referring to. The ODBC DLLs parse
the
string out and populate connection parameters... so I'm 95% sure that the
username/password is not sent as clear text.

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/

Nov 21 '05 #7
"I picked a bad day to stop sniffing packets"

Seriously, I was wondering about this same thing also, as I'll be
upgrading my home server from MySQL 3.23. to 4.1.1 in the near future.

Nov 21 '05 #8
"Jerry H." <bo*********@gmail.com> wrote in news:1103206415.042924.64710
@f14g2000cwb.googlegroups.com:
"I picked a bad day to stop sniffing packets"

Seriously, I was wondering about this same thing also, as I'll be
upgrading my home server from MySQL 3.23. to 4.1.1 in the near future.


FYI:

http://dev.mysql.com/doc/mysql/en/Se...st_attack.html

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
Nov 21 '05 #9
OK. And the results are.....

The initial connection is encrypted, but EVERYTHING else after that is sent
as plain text. So, if you ever do any administration, make sure you do it
via SSH as otherwise if you create a user, the password is sent as text for
all to see!

--
Bob Hollness

-------------------------------------
I'll have a B please Bob

"Jerry H." <bo*********@gmail.com> wrote in message
news:11*********************@f14g2000cwb.googlegro ups.com...
"I picked a bad day to stop sniffing packets"

Seriously, I was wondering about this same thing also, as I'll be
upgrading my home server from MySQL 3.23. to 4.1.1 in the near future.

Nov 21 '05 #10
"Bob Hollness" <bo*@blockbuster.com> wrote in
news:un**************@TK2MSFTNGP11.phx.gbl:
The initial connection is encrypted, but EVERYTHING else after that is
sent as plain text. So, if you ever do any administration, make sure
you do it via SSH as otherwise if you create a user, the password is
sent as text for all to see!


Yup, that's exactly what the docs say : )

--
Lucas Tam (RE********@rogers.com)
Please delete "REMOVE" from the e-mail address when replying.
http://members.ebay.com/aboutme/coolspot18/
Nov 21 '05 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Garp | last post by:
Everyone, I know there's no comp.databases.mysql group, but if there's the demand for questions about phrasing queries and the like that aren't PHP related (and there is - every other q. seems...
0
by: Richard Gabriel | last post by:
Hi all, The following keeps happening and I can't pinpoint a query that is causing it. It did not happen in 3.23.x, but started upon upgrading to 4.0.14. The operating system/hardware...
0
by: Henry Hank | last post by:
Environment: I'm setting up a database server on a Dell Poweredge 2650, dual 1.8GHZ pentium with 1GB of memory and RAID5 drives. I've installed RedHat 9, and updated the kernel to 2.4.20-19.9smp....
0
by: Simon | last post by:
Hi, I'm trying to get a version of MySQL 4.1.0 installed on my (Gentoo Linux) machine. I have a copy of MySQL 4.0.13 already installed, using Gentoo's ebuilds, but am trying to install 4.1.0 in...
0
by: alchimista | last post by:
hi, I've succesfully installed mysql on linux 2.4.x (TRUSTIX), I've tried to move it on my chroot jail but after 10s it crashes with the following message: --- cut here---- 040602 18:22:21 ...
2
by: pratchaya | last post by:
This is my sample error in my MySQL Log New value of fp=(nil) failed sanity check, terminating stack trace! Please read http://www.mysql.com/doc/en/Using_stack_trace.html and follow instructions...
1
by: David Moore | last post by:
Hi All, I'm moving some php/mysql development work from one PC to another. I wanted to use the latest versions of php, MySQL and Apache on the new machine, so I've downloaded the appropriate stuff...
110
by: alf | last post by:
Hi, is it possible that due to OS crash or mysql itself crash or some e.g. SCSI failure to lose all the data stored in the table (let's say million of 1KB rows). In other words what is the worst...
1
by: Tom | last post by:
I use the adodb_lite class and I'm getting curious results with a wrapper function I've written to insert an array in a table. The function has an optional parameter to verify columns (the array...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.