This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Reviewing MySQL Security

From OWASP
Revision as of 14:18, 24 October 2007 by EoinKeary (talk | contribs) (New page: ==Introduction== As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be ...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:


Privileges

Grant_priv: Allows users to grant privileges to other users. This shoudl be appropriately restricted to the DBA and Data (Table) owners. 

Select * from user 
where Grant_priv = 'Y'; 

Select * from db 
where Grant_priv = 'Y';

Select * from host 
where Grant_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Grant';

Alter_priv:Determine who has access to make changes to the database structure (alter privilege) at a global, database and table. 

Select * from user 
where Alter_priv = 'Y';

Select * from db 
where Alter _priv = 'Y';

Select * from host
where Alter_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Alter';
Retrieved from "https://wiki.owasp.org/index.php?title=Reviewing_MySQL_Security&oldid=22614"