mysql 数据库管理中的安全问题（一）

从网上看到一些帖子，面试者被问到如何认识mysql数据库的安全问题。很多安全问题都是由于对账号管理不妥当造成的。

1 删除匿名账号

在mysql版本中，安装完mysql后，默认会有一个匿名账号，只有执行mysql命令就能登录上去。如下：

直接执行mysql 登录上数据库，进入test数据库下

[xkyx80@localhost ~]$ mysql

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 488

Server version: 5.5.20-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| test |

+--------------------+

2 rows in set (0.00 sec)

mysql> ues test;

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ues test' at line 1

mysql> use test;

Database changed

mysql> show tables;

+-------------------+

| Tables_in_test |

+-------------------+

| gonghui2 |

| item |

| site |

| tbl_ad_monitor_ip |

| test |

| test2 |

| test_ |

| test_level |

| tx |

+-------------------+

9 rows in set (0.00 sec)

那么它具有的权限呢 ？ 现在查看一下mysql下user用户表

mysql> select user();

+----------------+

| user() |

+----------------+

| root@localhost |

+----------------+

1 row in set (0.00 sec)

mysql> select * from mysql.user \G;

Host: localhost.localdomain

User:

Password:

Select_priv: N

Insert_priv: N

Update_priv: N

Delete_priv: N

Create_priv: N

Drop_priv: N

Reload_priv: N

Shutdown_priv: N

Process_priv: N

File_priv: N

Grant_priv: N

References_priv: N

Index_priv: N

Alter_priv: N

Show_db_priv: N

Super_priv: N

Create_tmp_table_priv: N

Lock_tables_priv: N

Execute_priv: N

Repl_slave_priv: N

Repl_client_priv: N

Create_view_priv: N

Show_view_priv: N

Create_routine_priv: N

Alter_routine_priv: N

Create_user_priv: N

Event_priv: N

Trigger_priv: N

Create_tablespace_priv: N

ssl_type:

ssl_cipher:

x509_issuer:

x509_subject:

max_questions: 0

max_updates: 0

max_connections: 0

max_user_connections: 0

plugin:

authentication_string: NULL

这样普通用户即可登录mysql ，建大表等操作，建议删掉此账号，或者给此账号加密码。

2 给root账号设置口令

mysql 安装完毕，要给root 账号设定口令

[xkyx80@localhost ~]$ mysql -uroot

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 490

Server version: 5.5.20-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> set password=password('密码');

3 设置安全的密码

1 密码设置的尽量复杂，带有字母、数字、特殊字符等

2 使用上保证安全，不被窃取，在登陆mysql时，使用交互式登陆方式，手动输入密码比较安全。

4 只赋予账号必须的权限，只需要增删改查，那就只赋予 select、update、insert、delete权限 ，权限赋予具体化，对用户赋予 all privilege权限是危险的。

from ： 读书笔记 深入浅出mysql