MySQL (pronounced “My Sequel” or “My S-Q-L”) is a relational database management system that runs as a server to provide multi-user access to databases of information. MySQL is a very common database system used in web applications and is even used by websites such as Facebook, Google, and Youtube. One popular scripting language used in conjunction with MySQL to produce dynamic web pages is PHP (Hypertext Preprocessor). Website developers embed PHP code into a standard HTML page and it is interpreted by a web server with a PHP module which generates the final web page filled with dynamic content.
When developing a website which can be accessed by hundreds of millions of people, securing sensitive data on your server is crucial. If your website allows users to register an account and submit personal information to the database, you need to be sure that the data remains confidential and safe from unauthorized tampering. Attackers will try any method they can to expose a flaw in the system to gain access.
MySQL can be a very secure system if set up correctly and used appropriately by web programmers. The server administrator must protect the system from a number of attacks including: denial of service, altering, playback, and eavesdropping. Access Control Lists are used to secure all connections, queries, and other user-performed operations. SSL-encrypted connections between the MySQL server and clients can also help secure information. In the end, most security risks are caused either by the administrator of the server who fails to set things up correctly or by web programmers who unintentionally allow SQL injections in their code.
Two very simple examples of tasks the administrator should perform when setting up a secure MySQL server are to put the server behind a firewall and block untrusted connections on the port MySQL is running on and to encrypt user passwords within the database using hash encryption algorithms such as MD5 or SHA1. MySQL provides administrators and programmers these functions to easily encrypt data on the fly. Most administrators will put a firewall between the internet and the web server which is known as the Demilitarized zone (DMZ). They will then put a back-end database within their internal network that is protected from outside access. In order for this database to communicate with the web server in the DMZ, information needs to be passed back and forth between the firewall which can compromise security if the traffic on the open ports on the firewall is not carefully monitored. Aside from various technical details, this is a simple way to describe how most network administrators organize their web servers and databases.
One of the most common attacks on any SQL server is an attack known as injection. SQL injection is when a user enters a special sequence of characters into an input such as a website form and if the web programmers do not handle the input correctly, the MySQL server could recognize the user input as a command rather than just plaintext input. I will not dive into the specifics but if you are curious there is a great wiki explaining the basics of SQL injection that can be found here: http://en.wikipedia.org/wiki/SQL_injection. If a hacker finds a way to use SQL injection on your website, they can compromise the CIA security model (confidentiality, integrity, and availability). Failure to pay attention to minor details when dealing with user input on a web server can result not only in information being stolen but can result in the loss of the whole database.
Sources:
http://dev.mysql.com/doc/refman/5.0/en/security-guidelines.html
http://www.softpanorama.org/DB/Mysql/mysql_security.shtml
Posts
Thanks for sharing security tips on MySQL. Now days it is very important to concentrate on information security training in order to avoid any issue in future.
ReplyDeleteThis post was a good security review of the MySQL technology. I also liked the technological focus of this post. I found it particularly interesting that the even when discussing security with more of a focus on technology, the main concern still is user awareness and security knowledge. This post discusses threats, such as "injections", but then reiterates that all of the known threats can be avoided if the programmers and administrators strictly heed and practice the security guidelines.
ReplyDeleteDue to the prevalence of SQL on the internet (and therefore in our everyday lives), this is an interesting post for other reasons. Since MySQL is a technology that is so common in the internet, this post should also serve as a warning to all interner users. It is important when on the web and sharing any information to know who you are giving this information to and that this site is reliable. You cannot take security for granted, especially when globally connected on the internet.
You can actually find software that will scan your files for possible injection vulnerabilities. It's free: You can find http://www.acunetix.com/vulnerability-scanner/sql-injection-scanner.htm?gclid=CNODrq7apaUCFQRM5QodCAy-4Q. I'm actually in a course right now where we're building databases and it is (from a beginner's perspective) extremely difficult to consider all the possible ways that your software could be exploited because you didn't consider the myriad ways that a user might behave. This kind of vulnerability reminds me of the State Machine Model we learned about earlier in the semester, where the difficulty of predicting user actions was painted as one of the foremost concerns for software development. Thanks for this post.
ReplyDelete