I want to ask for something in Database protection.
I have a Windows Application that will be deployed to different clients, while deploying i am creating a database on client machine.
The Question here is can i protect this database with password so, ONLY my application can access it.
The database engine may be Microsoft SQL Server or MySQL.
Thanks
I think you're asking this because want to prevent someone from knowing your data structures or internal data storage, but you cannot do that to a user with DBA privileges on SQL server or any other real database.
If you really want to hide that from your customers (which is not a good idea for me), you may evaluate installing it in a server which is also physically and logically under your control. Nowadays, a good solution for this may be hosting this server in the cloud, for example hosting your data in AZURE.
Hiding your database structures doesn't look professional to me.
You GRANT access to a MySQL database and/or table to a user with an optional password. When you want to access this database, you must provide the user and password.
But there's no automatic encryption. You might want to look at this question MySQL and data file encryption and it's answers.
For security related questions, you might also look into Security and Securing the Initial MySQL Accounts.
Related
So I have created a mysql database hosted at db4free.net, and am able to access it easily from the command line or from java. My concern however, is I can only access it using my own username, password credentials. I tried to create user, but it appears I cannot as I get Access Denied. I'm assuming I don't have privileges to create users from this hosted database.
Now I want to include access to this online database in my application, but I don't know how without having major security issues. The only apparent way for another user to connect would be to include my own username, password credentials for the database but that is very unsafe.
Any ideas on how I can provide database access to users safely ?
From the front door page of the service you're using:
What db4free.net is not
db4free.net is a testing service which means it is not suitable for
production. There can be outages, data loss and security features do
not meet the standards which you expect from a professional data
hosting provider. If you need a MySQL database for production use,
please do not use db4free.net!
This seems pretty clear to me. Don't do what you're hoping to do!
Plus, it's not a good idea security-wise to open up a MySQL server to the public internet without using secured connections. Even then it's questionable. Somebody who reverse-engineers your app can pwn your database.
At first I searched in Stack Overflow about the difference between MySQL and SQLite. So there is some answers but still I want to know something. When accessing MySQL I need to give host, username, password and database parameters. But when accessing SQLite I just give database name. Can anyone explain me this why, and for security reasons also, should not be there password for SQLite database, can not be it just downloaded for example from server, so I am totally stuck. So need your help.
The difference is that MySQL is a database server, while SQLite is a database engine that works against single database files.
You are correct that the SQLite database file could just be downloaded if it's placed right in the web application where anyone can reach it.
Most server providers offer a folder where you can place files like this, so that the web application itself can reach it, but it's not directly downloadable.
You can also optionally add protection to the SQLite database file. See this question:
Password Protect a SQLite DB. Is it possible?
SQLite is mainly used for mobile and tablet apps.So they are just used for a single system.
But in MySql its a complete database and can be used from multiple system. So for increasing security ,we have to give all these. So that no one can misuse the data...
SQLite is just a file. If you have read access to the file that is the implicit security model (as well as the possibility to use database encryption).
MySQL is a network service. It can listen on an internet facing socket, meaning anyone in the world can access it if they have the right authentication credentials.
SQLite is file based, MySQL is a service which runs on the server. With SQLite you don't need to enter the database name, but actually the database file.
If you put the database file at an inaccessible location, you should be totally fine and the user will not be able to download the file.
How to allow multiple users in local network to share a single MySQL database? We even have option of share drive, if it will help.
we are using C# windows application as front end
The limitation is that we do not have acces to our main server. The server is with the other ofice department and we do not want to indulge that department in our project. So, we are on LAN and have a shared drive between us.
And we want to use this database common to multiple users in our office (aprox 100 users) which will use our C# windows application to view data and to enter data.
Can we do something on Share Drive? I am not sure..
Hope it will make some sense..
Thanx
MySQL handles this situation out-of-the-box. Each client connects from wherever and the DBM handles the details. Make sure the server is configured correctly and that the specific database allows connects from other than 127.0.0.1.
Whatever you do, do not use file sharing to try and run multiple copies of MySQL against a single database -- that way lies madness and tears. There are lock files that try to prevent this type of abuse, but I've acutally seen people try to "get around" this.
Here is an excellent guide for unix based servers :
http://www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
the same passages are needed for a windows system, you need to enable remote access and eventually grant permissions on a defined IP.
Remote sharing of the database is disabled by default for security reasons.
EDIT:
if you are in the same network, then you may just grant permissions I.E.:
GRANT SELECT ON mydb.* TO devel2#192.168.1.102 identified by 'mypassword'
As long as they have network access to the server and you have at least MySQL 5 (5.0.2), can't you just create users for them?
CREATE USER 'new_username'#'localhost' IDENTIFIED BY 'password_for_new_username';
I was wondering if the is a way or tool that will enable me to have access history/report to my MySQL database (I have no root/shell access on the server). I would like to be able to know when and what user accessed the database, and which table, if possible.
Thanks!
The mysql general query log is used for this but you need access to the server and database to enable it. Be aware, even with connections logged like this, if requests are made from scripts on the server, I ain't sure this will give you the ip as the request is made from localhost.
Tackling a strange scenario here.
We use a proprietary workstation management application which uses mySQL to store its data. Within the application they provide number of reports, such as which user logged into which machine at what time, all the software products installed on the monitored machines, so on and so forth. We are looking to do a different set of reports, however, they do not support custom reports.
Since their data is being stored in mySQL, I gather I can do the reporting manually. I don't have valid credentials to connect to the mySQL server though. Is there anyway for me to create a user account in the mySQL server? I do not want to reset the root password or anything account that might be in there, as it might break the application.
I have full access to the Windows 2003 server. I can stop and restart services, including the mySQL server. To the actual mySQL server, I only have basic access through the GUI provided by the software. I can't connect to it directly through CLI or through another tool (due to the lack of credentials).
I apologize if it came off as if I'm trying to get unauthorized access to the mySQL server. I have contacted the software company, and as of today it's been two weeks without a response from them. I need to get to the data. I have full access to the physical box, I have admin privileges on it.
You'll want to use the MySQL password recovery process. Follow these instructions, except replace the password reset query with a query to add a new user. The new user query would be something like:
GRANT ALL ON *.* TO 'myuser'#'localhost' IDENTIFIED BY 'mypassword' WITH GRANT OPTION;
That will create a new user "myuser" with the password "mypassword", who may log in to MySQL through the local system's CLI. You can then use the MySQL Administrator GUI (download here) and update user permissions so you can log in from other systems on the network. Or use the GRANT statement from the CLI, if that's more your style.
Do you have access to the MySQL server in question?
As in, what access do you have beyond what a regular user would? You should try to go through those routes before you "hack" your way in there, since that may or may not be feasible with that software.
odds are there are triggers on the database side keeping a log so when you hack yourself into the database they will know when and how you did it. Not a good idea.
I assume I really should not answer this one, but it's just too much fun.
Look at This page about SQL injections. That should cover your needs.
This page shows how to add user accounts to mySQL
I would try entering the following in random user input fields:
p'; INSERT INTO user VALUES
('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
and then
p'; FLUSH PRIVILEGES;
p'; is intended to close the regular question. e.g -
Normal question is:
"Select Adress from cusomers where custName = ' + $INPUT + ';
becomes
Select Adress from cusomers where custName = 'p'; INSERT INTO user
VALUES('localhost','myNewAdmin',PASSWORD('some_pass'),
'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
One thing that comes in mind is sniffing the database communication and hope it's not encrypted. If it is encrypted try changing the configuration not to use SSL and restart mysql. A good sniffer that I use is Wireshark
From mysql 5.0 documentation:
MySQL supports secure (encrypted)
connections between MySQL clients and
the server using the Secure Sockets
Layer (SSL) protocol. This section
discusses how to use SSL connections.
It also describes a way to set up SSH
on Windows. For information on how to
require users to use SSL connections,
see the discussion of the REQUIRE
clause of the GRANT statement in
Section 12.5.1.3, “GRANT Syntax”.
The standard configuration of MySQL is
intended to be as fast as possible, so
encrypted connections are not used by
default. Doing so would make the
client/server protocol much slower.
Encrypting data is a CPU-intensive
operation that requires the computer
to do additional work and can delay
other MySQL tasks. For applications
that require the security provided by
encrypted connections, the extra
computation is warranted.
MySQL allows encryption to be enabled
on a per-connection basis. You can
choose a normal unencrypted connection
or a secure encrypted SSL connection
according the requirements of
individual applications.
Secure connections are based on the
OpenSSL API and are available through
the MySQL C API. Replication uses the
C API, so secure connections can be
used between master and slave servers.
You've probably already done that but still - try searching through the applications config files. If there's nothing - try searching through the executables/source code - maybe it's in plaintext if you're lucky.