This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Reviewing MySQL Security
From OWASP
Revision as of 14:18, 24 October 2007 by EoinKeary (talk | contribs) (New page: ==Introduction== As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be ...)
Introduction
As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:
Privileges
Grant_priv: Allows users to grant privileges to other users. This shoudl be appropriately restricted to the DBA and Data (Table) owners.
Select * from user where Grant_priv = 'Y'; Select * from db where Grant_priv = 'Y'; Select * from host where Grant_priv = 'Y'; Select * from tables_priv where Table_priv = 'Grant';
Alter_priv:Determine who has access to make changes to the database structure (alter privilege) at a global, database and table.
Select * from user where Alter_priv = 'Y'; Select * from db where Alter _priv = 'Y'; Select * from host where Alter_priv = 'Y'; Select * from tables_priv where Table_priv = 'Alter';