How can we prevent the the query "show databases;" or "show tables;" in mysql for any non root user.Is this possible.If so please provide an example or appropriate link...indicating this..
Thanks in advance........
Non-root user sees all databases only if he has global rights (like GRANT something ON *.*). So the solution is to always grant everything ON databasename.* , never global.
I would give show_db_priv a try:
http://dev.mysql.com/doc/refman/5.1/en/grant-table-structure.html
But, there have been reports of this not working. See this bug entry:
http://bugs.mysql.com/bug.php?id=1048
Can't get you a link right now, but this is a permissions issue at heart and control over access to the root user.
On something like phpmyadmin or some other tool, you want to revoke permissions on these two databases (and any others) to all users except for your root admin. If you're on a shared server where you typically get one user for your one database you'll need to talk to your host.
My general rule (if I've got permissions control over the db server) is to create a new user for a specific database or (subset of tables) and always use that user only from the web or other application that talks to the db. It's more setup initially, but once you've got it setup you've got much more control and know that one application can't interfere with another.
Root access is simply not allowed for application use - its for maintenance only.
Related
I am very frustrated that I am trying this from over 5 days.
I need to create database on my PC that has to be visible for all other PCs in the same LAN.
I tried with XAMPP - Apache + MySQL - no result even after reading all articles from first 2 pages of Google and watching many youtube clips.
Now I am trying with MySQL Server 8.0 on my PC. I tried again all of Google first pages stuff without result. How can I do that?
I know that this has been asked many times here but there is no complex solution at all.
Does anybody of you have tutorial that is tested nowadays and it is working?
you should provide more details like the error message you get when connecting to the remote mysql server, anyway, to allow remote access, here is a checklist you need to go through:
grant permission, mysql by default only allow access from localhost(127.0.0.1), to allow other ip access:
// replace root for the username, '123456' for the password
grant all privileges on . to 'root'#'%' identified by '123456';
flush privileges;
check your server firewall settings to allow your mysql through port 3306(default)
others:
for linux server I think you also need to comment out "bind address" in your mysql config file;
some other issues for example your mysql client autodetect the wrong timezone, you may need to manually set it;
check your inbound rule on your client pc;
etc.
my suggestion for you, don't just google around blindly, think about it logically first, sometimes there is no direct answer
The problem was in connection String.
static final String USERNAME="[username]";
static final String PASSWORD="[password]";
static final String CONN_STRING="jdbc:mysql://[ip-address]:[port]/[database-name]";
So as LIU YUE suggested I just granted access for this username. The problem was that my other computer has a different name.
I have the table with username and password named 'credentials' table and 'role' table having roles of organization.I want to grant permission to that schema depending on the roles present in the table 'role' of that schema.
what i need to do?
Do not let anyone or any application have write or even read access to the mysql database. Exception: the Admin, who preferably has access only from localhost.
This implies GRANT ... ON dbname.* TO ... is the most that you give do non-admins. (Where dbname is not mysql.)
If the application (especially a web application) gets compromised, the hacker can see whatever data that it was GRANTed. If that includes mysql, then he can fish around to for the root password and do other nasties.
I have seen such a security flaw come in via a web page, and get the unix password file!.
local_infile = ON is also a security hole waiting to be exploited. Turning it off puts a crimp in certain load mechanisms, but it is worth it for an exposed web site.
I try to execute query in phpmyadmin and get error:
#1142 - SELECT command denied to user 'cpses_tkdpmnyjWW'#'localhost' for table 'user'
So, user cpses_tkdpmnyjWW'#'localhost is created dynamically and I can not set privileges for this user.
How to fix this?
Use SHOW GRANTS to show your current user privileges. It sounds as though the output may be similar to:
GRANT USAGE ON *.* TO 'Unnamed'#'localhost'
This would mean the account could sign into the server but do little else. This page gives a more detailed breakdown, as you'll see there are quite a few permutations.
The solution is you need to either find an account with more privileges or create/update one.
If the above is not an option, one quick trick I may try is connecting to '127.0.0.1' instead of 'localhost'. In MySQL the source of the connection can form part of the username so it's plausible that connecting on an IP instead of socket if you are on Unix flavoured OS.
Additionally, if you have admin/root access to the server, it is possible to create users when MySQL starts which is very useful in some scenarios.
wamp local
Lost contact with all dbases except one which I can log in to. In that DB my password is on a databas level and not a grant user. I have checked all earlier answers. First I did get error 1045 and took the advice given to use "cookie" instead of config in phpmyadmin config.inc
Logged in to phpmyadmin and got two other errors
needs a secret blowfish..??
Something wrong in config file. Doesn't say which and no more info
Fixed them(realy dont know how)
Have made The grant privileges statement for root.
Now I can come in with root user bud also every other user with or without password.
Then I can see my databases and tables(only titles)
I have checked that my DB files are still under the folders(msql bin data)
Got a message Before about something wrong in the config file. Checked it several times(config.inc.php) without seeing anything suspect.
Please... What to do?
I'm not really sure what your question is. It sounds like you worked through items 1 and 2. Sounds like you're logging in as root (as expected) and as the anonymous user (that's "every other user with or without password"). You can restrict that by removing the anonymous user (log in as root and click on the Users tab).
Say you created a blog application, and it's data is stored in a MySQL database. In your application configuration you set the data source name to myBlog user root password whatever
Now, when users start using your blog to access, post to, and comment on threads, etc... I am assuming they connect as root through the application myblog ...
So... users connect to the application myBlog who in turn connects to MySQL as user root , using password whatever --- it's not really the users that are connecting to MySQL, it's the application. Correct?
Is there not a security issue with this approach? Should I create a new username in MySQL for the application myBlog with specific privileges and leave root only for administering the database?
yes, the application connects to the db. you should create a new mysql user for your application, do something like
CREATE DATABASE myblog_env;
CREATE USER 'myblogenv-user'#'%' IDENTIFIED BY 'your pw';
GRANT ALL PRIVILEGES ON myblog_env.* TO 'myblogenv-user'#'%' WITH GRANT OPTION;
something like the above should do it. The 'env' part of the above is for if you want to create a new db for difference environments, like dev, stage, prod, whatever....
this way your application user has complete access to its db, but no other dbs in the mysql instance.
First of all, you should NEVER use the root account of a mysql database for anything else then admin work.
Second of all, in theory yes the user of your blog would be the "root" in your mysql database, but hopefully there is a lot of sanatizing and cleaning up in your blogs code before any queries are executed...anything else would be know as an "sql inject"
You are exactly right. This is called the principle of least privilege. You should give the application the minimum access rights that it needs to complete the job. This would not be root.
The short answer is: Yes.
Long answer:
Security: You should have a different user for your application than you do for yourself as the administator. That application user should only have read (and write if necessary) privileges on the specific database it needs to access. Also, it should not have privilege-granting privileges, nor drop table privileges, nor database creation/dropping privileges, nor anything else that is reserved for you.
Convenience: If you ever need to change your password, you don't want to have to change your application, and vice versa.