I want to ask you how to create an user with read permissions only in SQL server 2014. In previous versions there was a user group called like db_readonly, but not in the last version.
Thank you
Finnally i solve the issue with the following article.
http://akawn.com/blog/2014/07/granting-read-only-access-to-multiple-databases-in-sql-server-2014/
You must be sure that the default permisions (i mean in the restrictive way) are set in public security group, if not, the limit of permission is useless.
Regards
Related
I have an application doing things on MySQL. I made it with VB.NET and with standart MySQL library. My question is, is it easy to hack? Can even basic hackers reach my database? And how can i secure it?
Thank you.
You should never save your Passwords in MYSQL_PWD environment. Because there might be a possibility in some versions of "ps" which can show/expose the password clearly to some other user.
Access to the database tables should be restricted to only those who are required to access data from them, otherwise it must not be accessed by some other user.
Automatic Password expiration technique must be up (Usually it's duration is set to 6 months or 180 days).
Sometimes the passwords are sent in a plain text in SQL Queries like Set password etc.
You must usually check the Privileges given to the users and you must use Revoke command to remove unnecessary privileges given to the users.
A Firewall must be installed before the MYSQL Database layer.
I think this answer helped you with your question somewhere.
I am building a system in Microsoft Access 2013 that is using MySQL as the backend. I would like to have a form where the username of the user currently logged in to the MySQL database is the default value for an input field. I tried using the CurrentUser() function to do this, but that seems to always return "Admin".
So I guess there are really two questions here:
Is there a way to access the username of the user logged in to the MySQL server from within Access 2013?
If not, how do I control what the username is for CurrentUser()? It's very important in this system that I am able to differentiate between different users of the system and that not everyone simply shows up as "Admin".
It's possible there is a much better way to accomplish what I'm asking and I don't even know the right question to ask, and if that's the case please do let me know.
Thanks!
Create a "pass through" query in Access which uses the ODBC connection to MySQL, and ask MySQL for the name of the current user.
SELECT CURRENT_USER();
That query will be executed as is (meaning the Access db engine is not involved) at the server, and the result from the query is then available in Access.
The VBA CurrentUser() function retrieves the Access security account name. Unless you're using ULS (user level security), which is only available with the older MDB database format, the security account will always be "Admin". So it's not generally useful, and is definitely not useful for what you need here.
We need to deploy application(developed by Java) WAR file in client place which make use of MySql 5.0. But we would like to restrict the client (the application owner, not the webpage visitor) from modifying any data in the database. Is there any way to protect data. The client can make use of the application but they should not be able to change any value in database. How to do that?
Manage Role/User permissions
Create an sql user (you should already have one), which will have only SELECT permission. So it would be something like
GRANT SELECT ON db_base.* TO db_user#'localhost' IDENTIFIED BY 'db_passwd';
http://kb.mediatemple.net/questions/788/HOWTO:+GRANT+privileges+in+MySQL
http://blog.wl0.org/2010/01/managing-mysql-grants/
http://www.ntchosting.com/mysql/grant.html
Check links below for further reading
FOR MySQL
Best Practice for Designing User Roles and Permission System?
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.devshed.com/c/a/MySQL/MySQL-User-Account-Management/
Can't set permissions on MySQL user
http://www.aquafold.com/d7/docs/BD5C99E4-3B55-C812-8318-6338A9A89ED9.html
FOR SQL Server.
http://www.databasejournal.com/features/mysql/article.php/3311731/An-introduction-to-MySQL-permissions.htm
http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm
http://www.sql-server-performance.com/articles/dba/object_permission_scripts_p1.aspx
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html
http://www.databasejournal.com/features/mssql/article.php/2246271/Managing-Users-Permissions-on-SQL-Server.htm
This is impossible; if you deploy the application at the client, he will have the credentials and will be able to log into the MySQL database and pretent he is the application. And thus he can make any change to the database that your application can.
The only way to solve this securely is to make a tier between the client and your MySQL database, and make sure that you control this so that it is only possible to make 'legal' changes.
Just write the code accordingly so that the user doesn't have any chance to modify the database? I.e. the code doesn't execute any INSERT or UPDATE and/or controls the access based on a login/role.
I honestly really don't forsee any problems here, or the code must be prone to SQL injection attacks.
Update: The above answer is actually irrelevant since the question is clarified. Turning into Community Wiki.
I'm not even sure SQL Server stores this kind of information, but, is it possible to get the username of the person who last modified a particular stored procedure, function, table or view?
Nothing critical, just wondering. Thanks!
If you are using SQL Server 2008, you could use some new features that allow you to put triggers on DDL changes. You can then track, based on the authenticated user, who made the change.
I think these triggers are new to SQL 2008, but they may be available in 2005.
Having said this, ideally you should have your database schema under source control, using a tool like Visual Studio Database Professional. Then you'd have a complete history of who did what and when.
Randy
It doesn't store this information out of the box.
You can use SQL Trace and Event notification (see the corresponding MSDN Article) to log this kind of information by yourself.
I have no experience with these technologies though ...
Definitely put DDL triggers in place. Even if you don't end up using them, or if you end up putting a decent source control system in place, still have the DDL triggers in place so that you can be sure about what's going on.
How do I check if a user/password pair works without actually making a connection to the database?
The DBMS in question is MySQL.
That was my original question. Since most people get this question wrong, then I should rephrase it as:
How do I check if a MySQL username/password is valid, without connecting to MySQL as that user? (thanks to derobert)
I actually found a solution, check my answer below.
If you want to check if a MySQL username/password is valid, without connecting to MySQL as that user, then you should take a look at the the users table in the mysql database.
But I'd recommend not doing this; that is really an internal MySQL implementation detail, and you really shouldn't depend on it. (e.g., what if MySQL gets LDAP auth someday?)
I think this question is open to interpretation. Most people will jump in and say "You can't.", but if what you are actually asking is "How do I use MySQL to authenticate a user but not actually use the database?" then that's a whole different ball game. Take a look at mod_auth_mysql, an Apache module which does exactly that. If we had more details on what exactly you were trying to do, folks might be more forthcoming.
Login as someone who has access to "mysql" database (schema), and do:
SELECT COUNT(*) FROM MYSQL.USER WHERE USERNAME=? AND PASSWORD=PASSWORD(?)
If the count > 0 then the username/password is correct.
If the username and password are stored in the database, then there's obviously no other way to check them other than to connect first.
The best you could do is perhaps only connect to the DB when they log in. Once they're authenticated, you could store some form of session information on disk, but it's not a great solution.
In short - not posssible if the userid/password are stored in the database.
Authentication basically means that you compare the response to a challenge with known values. If you do not have the values to compare with , you cannot authenticate.
One possible solution would be to devise some sort of scheme where the username/password are an encryption/decryption key pair. Obviously, this would be more feasible in an assigned username world, but such a policy would allow you not to hit the database if that is the primary objective.