I want to give a remote site (owned my someone else) access to the mysql database on my server that is password protected, but I dont want to reveal the actual password to them.
Is it possible to have the mysql access file (with username and pswd) on my server, and they just connect through it, so that their site can access data in my MYSQL db, but I am not actually openely revealing the pswd to them.
Can such access also be give on a read only basis. I just want to make it so they can query the database, but not download the whole database or make changes to it.
The remote party will need credentials to be able to do anything with your MySQL database. Even if you were to open up some sort of file share to let them get to the physical files, that still doesn't let them do anything with the files (and it is not a good idea to expose the actual files outside of the database server).
Setup a separate user account just for them that provides them with just the permissions they need.
You can limit which MySQL databases the are allowed to access, and exactly what they can do in each individual database.
https://dev.mysql.com/doc/refman/5.5/en/adding-users.html
Related
A new client of mine has a site hosted on netnation (boo). Their account manager doesn't have a way to access phpmyadmin or anyway to access the database. I'm not a programer, I'd just like to be able to view a stored password so I can give it to my client. I have the database host, user, password, and database name in the php files of the site.
Is there a program that I can use to view the database? No command line please it's not my thing and I'd probably break something.
Thanks
Most live databases don't allow direct access from outside the server, so if you're unlucky it can't work unless you can configure mysql to allow access from remote clients, too.
But at least you can try. Just configure any phpmyadmin installation (locally or on another server) to connect to that database. You do that in the file config.inc.php in the phpmyadmin root directory.
Look for the line that says "$cfg['Servers'][$i]['host'] = 'localhost';". Just replace 'localhost' with the url or IP your database is running (usually the same as the website). If your mysql allows remote access, you should be good to go. Otherwise you will have to re-configure your mysql installation first to allow that.
MySQL Workbench is a GUI program that allows access to MySQL database. It can work directly or using SSH. Most likely you won't be able to connect directly so your best chance is to get SSH access and connect using it. If it's not an option you can get FTP access and install phpMyAdmin (simply by uploading it to server).
Also, it's considered a bad practice to store password in DB, so it's very likely that the password itself is not stored, just its hash.
I own a machine running third party software. I input data into this software and it stores that data into its own mysql database. I'd like query the mysql database directly, but I don't know the credentials that the application is using.
I have read and write access for all files in the machine, including the files in the mysql data directory. Theoretically, I should be able to read the data directly from these files (.ibd and .frm files). But practically, I don't know where to start. I'm thinking that these data files are somewhat readable since encrypting them would destroy their index-ability.
Is this feasible? Or would I have to reverse engineer the data file format in order to read it?
Or even better - is there some config file that I can change which would implicitly trust all local connections similar to postgres?
You could read the mysql files directly, but even if they're now encrypted, the columns names might be weird and you could have to spend some time reading them.
Another point could be looking for config files from that software, that could have the login/password (very very low probability, but who knows?)
And the best would be:
make a backup of the mysql files
in another mysql instalation / computer (to not break your software), follow the reset mysql password guide
Try accessing it via the command line on the local machine:
shell> mysql db_name
(from MySQL documentation)
From here, you can create yourself an account if you need to connect from other client software.
Or have you already tried that?
If you have root access to the machine that MySQL is running on, then you can reset the MySQL root password by following the procedure at: http://www.cyberciti.biz/tips/recover-mysql-root-password.html. Once you've reset the root password, you can then login to MySQL as the root MySQL user, and access any of the databases, and query them. The only caveat to keep in mind is that changing the MySQL root password could potentially prevent your application from accessing the MySQL database, but that would be surprising as the application should be designed to connect to the database using a MySQL user account (with limited privileges) other than the root MySQL user.
I recently installed the XAMPP stack on a desktop and connected via a laptop on the local network. To my surprise, I was able to access phpmyadmin and delete update all mysql tables. Though I understand that I shouldn't use xampp for production (and I'm not), I would still like to learn how to manage these types of obvious security flaws. I know that I can block access to directories via .htacces (http://forum.directadmin.com/showthread.php?t=29089), but I would like something that is a little more comprehensive. How would you restrict running of mysql queries from anywhere except localhost? Is there a way without .htaccess? I thought this was partially the purpose of the root user.
MySQL defined users with domains. If you look at your user_privileges table in the information_schema database you will see that they all have domains. If all your users are defined strictly as localhost, there will be no remote access.
Also, you can edit my.cnf to turn off tcp access to the database, forcing all connections to be by socket. under [mysqld], include the line skip-networking. You will have to configure all your apps to use the socket connection, but I like the socket better anyway.
This will do nothing to protect your data from someone using phpMyAdmin, if phpMyAdmin is installed on the same machine as the database. The safest thing to do is get rid of that app. That's often not practical, however, as it's a useful tool, and so you need to configure phpMyAdmin to require that users authenticate themselves. That means NOT putting the password in the config file. You will need to think about how long sessions are before reauthentication, and things like that.
phpMyAdmin fills me with a rage hotter than a thousand suns whenever I try to configure it, but it is definitely possible to set things up so a password is required each time you connect to the database through phpMyAdmin. You can further limit the damage phpMyAdmin abusers can do my making sure it only connects as a user with limited privileges (for instance, only able to modify the database you're working on at the moment).
At first I searched in Stack Overflow about the difference between MySQL and SQLite. So there is some answers but still I want to know something. When accessing MySQL I need to give host, username, password and database parameters. But when accessing SQLite I just give database name. Can anyone explain me this why, and for security reasons also, should not be there password for SQLite database, can not be it just downloaded for example from server, so I am totally stuck. So need your help.
The difference is that MySQL is a database server, while SQLite is a database engine that works against single database files.
You are correct that the SQLite database file could just be downloaded if it's placed right in the web application where anyone can reach it.
Most server providers offer a folder where you can place files like this, so that the web application itself can reach it, but it's not directly downloadable.
You can also optionally add protection to the SQLite database file. See this question:
Password Protect a SQLite DB. Is it possible?
SQLite is mainly used for mobile and tablet apps.So they are just used for a single system.
But in MySql its a complete database and can be used from multiple system. So for increasing security ,we have to give all these. So that no one can misuse the data...
SQLite is just a file. If you have read access to the file that is the implicit security model (as well as the possibility to use database encryption).
MySQL is a network service. It can listen on an internet facing socket, meaning anyone in the world can access it if they have the right authentication credentials.
SQLite is file based, MySQL is a service which runs on the server. With SQLite you don't need to enter the database name, but actually the database file.
If you put the database file at an inaccessible location, you should be totally fine and the user will not be able to download the file.
I was wondering if the is a way or tool that will enable me to have access history/report to my MySQL database (I have no root/shell access on the server). I would like to be able to know when and what user accessed the database, and which table, if possible.
Thanks!
The mysql general query log is used for this but you need access to the server and database to enable it. Be aware, even with connections logged like this, if requests are made from scripts on the server, I ain't sure this will give you the ip as the request is made from localhost.