I’ve seen some passwords to take a few years from my life.
I mean, we all know about dictionary words, right? And we’ve all seen Spaceballs, right? But choosing 12345 as your password is not the only careless option: there are many more! The more I get familiar with user’s password, the more I see how [...]
This post follows Ronald Bradford’s More Basic MySQL Security, and Lenz Grimmer’s Basic MySQL Security: Providing passwords on the command line and More on MySQL password security.
In Ronald’s post I’ve argued that passwords provided on command line are visible in plaintext on “ps aux”. Lenz has argued that this is incorrect, providing the source code [...]
A long time missing feature in MySQL is temporarily blocking accounts: denying a user to log in, without affecting any other of her privileges.
There is no such privilege as ‘LOGIN’ in the grants table, as the ability to log in is the most basic one MySQL allows. This basic privilege is called USAGE.
I’ll present a [...]
And the following query:
SELECT `;`.`*`.`.` FROM `;`.`*`;
is valid as well. So are the following:
DROP DATABASE IF EXISTS `;`;
CREATE DATABASE `;`;
CREATE TABLE `;`.`*` (`.` INT);
CREATE TABLE `;`.““ (`.` INT);
CREATE TABLE `;`.`$(ls)` (`.` INT);
MySQL’s security model is not as elaborate as other popular databases. It’s missing quite a lot.
I wish to point out what I think are some very disturbing security holes, which may affect the database integrity.
This post is not about Roles, Kerberos, IPs and such. It’s about simple MySQL features, which allow common, unprivileged users, to [...]
I’ve run by quite a few triggers lately on production systems. In previous posts, I’ve written about problems solved with triggers. So here’s a compilation of some solutions based on triggers; and some problems which are not (yet?) solvable due to current triggers limitations.
Triggers can be used to:
Maintain integrity
Enhance security
Enhance logging
Assist with archiving
Restrict table size
Manage [...]
Web applications face constant exploitation attempts. Those with a user base must keep their users’ private data, well… private.
While the MySQL security model allows restricting users access to databases, tables and even columns, it has no built in feature for restricting the rows access within the given table.
One cannot allow a user to only update [...]
When MySQL’s root password is lost and must be reset, there are two popular ways to create a new password. One of the options is far too popular, in my opinion.
The preferred way of setting a root’s password is by using an init-file. The process for doing this is well explained in MySQL’s manual. Using [...]