manual.texi minor wording changes to sections 6.1 - 6.3.

service. We do not cover all aspects of availability and fault tolerance

here.

@strong{MySQL} uses Access Control Lists (ACLs) security for all

@strong{MySQL} uses security based on Access Control Lists (ACLs) for all

connections, queries, and other operations that a user may attempt to

perform. There is also some support for SSL-encrypted connections

between @strong{MySQL} clients and servers. Many of the concepts

@item

DON'T EVER GIVE ANYONE (EXCEPT THE @strong{MySQL} ROOT USER) ACCESS TO THE

mysql.user TABLE!  The encrypted password is the real password in

@strong{MySQL}. If you know this for one user you can easily login as

@strong{MySQL}. If you know this for one user, you can easily log in as

him if you have access to his 'host'.

@item

Learn the @strong{MySQL} access privilege system. The @code{GRANT} and

@code{REVOKE} commands are used for restricting access to @strong{MySQL}. Do

@code{REVOKE} commands are used for controlling access to @strong{MySQL}. Do

not grant any more privileges than necessary. Never grant privileges to all

hosts.

@itemize @minus

@item

Try @code{mysql -u root}. If you are able to connect successfully to the

server without being asked for a password, you have problems. Any user (not

just root) can connect to your @strong{MySQL} server with full privileges!

server without being asked for a password, you have problems. Anyone

can connect to your @strong{MySQL} server as the @strong{MySQL}

@code{root} user with full privileges!

Review the @strong{MySQL} installation instructions, paying particular

attention to the item about setting a @code{root} password.

@item

@code{server_host} is the hostname of your @strong{MySQL}

server. If you get a connection and some garbage characters, the port is

open, and should be closed on your firewall or router, unless you really

have a good reason to keep it open. If @code{telnet} just hangs,

everything is OK, the port is blocked.

have a good reason to keep it open. If @code{telnet} just hangs or the

connection is refused, everything is OK; the port is blocked.

@end itemize

@item

denial-of-service type attacks can be performed on such

databases. The simplest way to protect from this type of attack is to use

apostrophes around the numeric constants: @code{SELECT * FROM table

WHERE ID='234'} instead of @code{SELECT * FROM table WHERE ID=234}.

WHERE ID='234'} rather than @code{SELECT * FROM table WHERE ID=234}.

@strong{MySQL} automatically converts this string to a number and

strips all non-numeric symbols from it.

Checklist:

@itemize @minus

@item

All WWW applications:

All Web applications:

@itemize @bullet

@item

Try to enter @samp{'} and @samp{"} in all your Web forms. If you get any kind

@item

Users of Perl DBI:

@itemize @bullet

@item Check out the @code{quote()} method.

@item Check out the @code{quote()} method or use placeholders.

@end itemize

@end itemize

Don't give the @strong{file} privilege to all users.  Any user that has this

privilege can write a file anywhere in the file system with the privileges of

the @code{mysqld} daemon!  To make this a bit safer, all files generated with

@code{SELECT ... INTO OUTFILE} are readable to everyone, and you can't

@code{SELECT ... INTO OUTFILE} are readable to everyone, and you cannot

overwrite existing files.

@tindex /etc/passwd

support Unix sockets.

@item --skip-show-database

@code{SHOW DATABASE} command doesn't return anything.

With this option, the

@code{SHOW DATABASES} statement doesn't return anything.

@item --safe-show-database

@code{SHOW DATABASE} only returns databases for which the user has

With this option,

@code{SHOW DATABASES} returns only those databases for which the user has

some kind of privilege.

@end table