I have an application doing things on MySQL. I made it with VB.NET and with standart MySQL library. My question is, is it easy to hack? Can even basic hackers reach my database? And how can i secure it?
Thank you.
You should never save your Passwords in MYSQL_PWD environment. Because there might be a possibility in some versions of "ps" which can show/expose the password clearly to some other user.
Access to the database tables should be restricted to only those who are required to access data from them, otherwise it must not be accessed by some other user.
Automatic Password expiration technique must be up (Usually it's duration is set to 6 months or 180 days).
Sometimes the passwords are sent in a plain text in SQL Queries like Set password etc.
You must usually check the Privileges given to the users and you must use Revoke command to remove unnecessary privileges given to the users.
A Firewall must be installed before the MYSQL Database layer.
I think this answer helped you with your question somewhere.
Related
I am very sorry if this has been answered before, but I have searched for 2 days and cannot find the answer. I have 2 databases and I need to import users from the current database to a new one. The new database is for a chat system that has recently bee installed and I would like all users to be added to it.
So I thought I would simply manually add the users in the new database using information from phpmyadmin. But the encryption for the password is a different format and will not work.
For example in the first database the encryption is:
z70I9QINffX2Hh7FxQ==
In the second database the format is:
3eb5c61f784aa3c2e11d879382387d420f7c4ebf
Neither seem to be MD5 and I can't find out which type it is.
I know this is a stretch but does anyone know of a way to detect the type of encryption and how I can take a password, such as 'password' and encrypt it using the correct encryption type?
Thank you
You could try using a generic password for the root user, or logging into mysql as the root user & creating another user manually. Not sure what kind of access you have, but that's been the best bet in my experience.
Hope it helps.
The password encryption mechanism would be stored in the application's code. The 1st example looks like Base64 but can't be sure without comparing others. The 2nd example appears to be SHA1/MySQL5 Sha1(Sha1(pass)).
You're going to have to research the apps that are using these databases and to determine how it's creating and storing these account passwords in the database. Either way, you are trying to link 2-dbs that have different password mechanisms, that might require standardization of the passwords which might mean a password resets.
There is a harder way, you have a database of one-way hashed passwords. It will require a bit of focus in scripting... You would have to generate hashes for the cryptographic hashes used and compare to your users passwords to get the plaintext password. Then you recreate their accounts in the new DB using their passwords to create the new user with same credentials.
I am building a system in Microsoft Access 2013 that is using MySQL as the backend. I would like to have a form where the username of the user currently logged in to the MySQL database is the default value for an input field. I tried using the CurrentUser() function to do this, but that seems to always return "Admin".
So I guess there are really two questions here:
Is there a way to access the username of the user logged in to the MySQL server from within Access 2013?
If not, how do I control what the username is for CurrentUser()? It's very important in this system that I am able to differentiate between different users of the system and that not everyone simply shows up as "Admin".
It's possible there is a much better way to accomplish what I'm asking and I don't even know the right question to ask, and if that's the case please do let me know.
Thanks!
Create a "pass through" query in Access which uses the ODBC connection to MySQL, and ask MySQL for the name of the current user.
SELECT CURRENT_USER();
That query will be executed as is (meaning the Access db engine is not involved) at the server, and the result from the query is then available in Access.
The VBA CurrentUser() function retrieves the Access security account name. Unless you're using ULS (user level security), which is only available with the older MDB database format, the security account will always be "Admin". So it's not generally useful, and is definitely not useful for what you need here.
We need to deploy application(developed by Java) WAR file in client place which make use of MySql 5.0. But we would like to restrict the client (the application owner, not the webpage visitor) from modifying any data in the database. Is there any way to protect data. The client can make use of the application but they should not be able to change any value in database. How to do that?
Manage Role/User permissions
Create an sql user (you should already have one), which will have only SELECT permission. So it would be something like
GRANT SELECT ON db_base.* TO db_user#'localhost' IDENTIFIED BY 'db_passwd';
http://kb.mediatemple.net/questions/788/HOWTO:+GRANT+privileges+in+MySQL
http://blog.wl0.org/2010/01/managing-mysql-grants/
http://www.ntchosting.com/mysql/grant.html
Check links below for further reading
FOR MySQL
Best Practice for Designing User Roles and Permission System?
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.devshed.com/c/a/MySQL/MySQL-User-Account-Management/
Can't set permissions on MySQL user
http://www.aquafold.com/d7/docs/BD5C99E4-3B55-C812-8318-6338A9A89ED9.html
FOR SQL Server.
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm
http://www.sql-server-performance.com/articles/dba/object_permission_scripts_p1.aspx
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html
http://www.databasejournal.com/features/mssql/article.php/2246271/Managing-Users-Permissions-on-SQL-Server.htm
This is impossible; if you deploy the application at the client, he will have the credentials and will be able to log into the MySQL database and pretent he is the application. And thus he can make any change to the database that your application can.
The only way to solve this securely is to make a tier between the client and your MySQL database, and make sure that you control this so that it is only possible to make 'legal' changes.
Just write the code accordingly so that the user doesn't have any chance to modify the database? I.e. the code doesn't execute any INSERT or UPDATE and/or controls the access based on a login/role.
I honestly really don't forsee any problems here, or the code must be prone to SQL injection attacks.
Update: The above answer is actually irrelevant since the question is clarified. Turning into Community Wiki.
First off, I realize that there is no such thing as a perfectly secure solution (and even if there were, its usability would be crap).
That said, how do you protect your MySQL database from being compromised by someone downloading your code and picking through it? Based on my experience with PHP, it seems obligatory to store it within the code at some point or another, which sends up flags for me. I can see where refactoring to obfuscate variable, constant, and (user-defined) function names could be beneficial, but in the end it'd still be possible to trace through it and find the file with the DB login information.
Ideas?
Usually the MySQL auth information is stored in an external configuration file. The MySQL user used by the web-based app is given limited permissions such as SELECT, INSERT, UPDATE, DELETE and not given permissions such as ALTER, DROP, DELETE. If you want to release the code to the public you would not include your private config file, but a generic/instructional/minimal config file instead.
Storing the MySQL auth info in an encrypted format is somewhat silly, as you'd need to store the private key / unencryption locally as well. If it is trivial for an unauthenticated user to view the code or configuration files on your server the problem isn't the code - it's your server setup & config.
Security can be assisted by storing any hard-coded information (in config files or scripts) outside of the web-root, and by suppressing (on the production code) error messages. That way, hopefully, your users won't see that userValidate() expects exactly three paramaters.
pygorex1 is correct, you should use external configuration files where "external" means a file outside the web root. So even if there would be a configuration error in your web server which would allow the user to see your source code, they would not be able to see the database credentials since they cannot be accessed directly via the browser.
pygorex1 is also right on the user permissions. Limiting the mysql user's access to a minimum is always preferred. Even if a hacker would get the your mysql password and username, he would not be able to do significant damage if the user permissions are only limited to eg SELECT-queries. One thing he forgot to mention was that the mysql user should only be allowed to log in from localhost (or from whatever host the web application is on), never use wildcards in the allowed hosts.
How do I check if a user/password pair works without actually making a connection to the database?
The DBMS in question is MySQL.
That was my original question. Since most people get this question wrong, then I should rephrase it as:
How do I check if a MySQL username/password is valid, without connecting to MySQL as that user? (thanks to derobert)
I actually found a solution, check my answer below.
If you want to check if a MySQL username/password is valid, without connecting to MySQL as that user, then you should take a look at the the users table in the mysql database.
But I'd recommend not doing this; that is really an internal MySQL implementation detail, and you really shouldn't depend on it. (e.g., what if MySQL gets LDAP auth someday?)
I think this question is open to interpretation. Most people will jump in and say "You can't.", but if what you are actually asking is "How do I use MySQL to authenticate a user but not actually use the database?" then that's a whole different ball game. Take a look at mod_auth_mysql, an Apache module which does exactly that. If we had more details on what exactly you were trying to do, folks might be more forthcoming.
Login as someone who has access to "mysql" database (schema), and do:
SELECT COUNT(*) FROM MYSQL.USER WHERE USERNAME=? AND PASSWORD=PASSWORD(?)
If the count > 0 then the username/password is correct.
If the username and password are stored in the database, then there's obviously no other way to check them other than to connect first.
The best you could do is perhaps only connect to the DB when they log in. Once they're authenticated, you could store some form of session information on disk, but it's not a great solution.
In short - not posssible if the userid/password are stored in the database.
Authentication basically means that you compare the response to a challenge with known values. If you do not have the values to compare with , you cannot authenticate.
One possible solution would be to devise some sort of scheme where the username/password are an encryption/decryption key pair. Obviously, this would be more feasible in an assigned username world, but such a policy would allow you not to hit the database if that is the primary objective.