Home >Database >Mysql Tutorial >Security analysis of Mssql and Mysql

Security analysis of Mssql and Mysql

黄舟
黄舟Original
2017-02-20 11:54:261796browse

[Introduction] Database is the foundation of e-commerce, finance and ERP systems, and usually stores important business partner and customer information. The electronic data of most enterprises, organizations and government departments are stored in various databases. They use these databases to store some personal information and also hold sensitive financial information. Databases are used in e-commerce, finance and ERP systems. Basically, important business partner and

customer information is usually saved. The electronic data of most enterprises, organizations and government departments are stored in various databases. They

use these databases to store some personal information and also hold sensitive financial data. However, databases usually do not receive as much attention to security as operating systems and networks. Data is the lifeblood of enterprises and organizations, so choosing a secure database is crucial. Large websites generally use oracle or DB2, while most small and medium-sized websites use the more flexible and compact mssql database or mysql database. So, under the same conditions, which one is more secure, Microsoft's mssql or free mysql?

I installed mssql and mysql by default on my machine using the administrator account in order to
test their security under the same circumstances. My system configuration is as follows: operating system Microsoft windows 2000 Version5.0,
sp4, ftp service and iis service are installed, supporting asp and php. The system has only one administrator account, admin, and the guest
account is not disabled.

1. System internal security analysis


1.mysql database permission control issue

Mysql permission control is based on the mysql database, called The authorization table includes a total of six tables columns_priv, db, func, host, tables_priv and user. First use the desc user command to view the structure of the very important user table to query the content. Now you can view his permission settings. Use the command

select host,user,password,delete_priv,update_priv,drop_priv from user;

This command checks several dangerous permissions, and the displayed results are as follows:

mysql> select host,user,password,delete_priv,update_priv,drop_priv from user; 
+-----------+------+------------------+-------------+-------------+-----------+ 
| host | user | password | delete_priv | update_priv | drop_priv | 
+-----------+------+------------------+-------------+-------------+-----------+ 
| localhost | root |0e4941f53f6fa106 | Y | Y | Y | 
| % | root | | Y | Y | Y | 
| localhost | | | Y | Y | Y | 
| % | | | N | N | N | 
+-----------+------+------------------+-------------+-------------+-----------+ 
4 rows in set (0.00 sec)

The first one means using root to log in with the password on this machine. Have permissions to delete records, modify records, delete tables, etc.
Okay, this is safe. The second item means that you can use root to log in on any host without a password and have the permissions to delete records,
modify records, delete tables, etc. The third item indicates that you can log in anonymously on this machine and have the permissions to delete records, modify records, delete tables, etc. The last item indicates that you can log in anonymously from any host, but without any permissions.

Obviously, the second, third, and fourth are all unsafe! Needless to say, the second one, as for the third one, even if you have guest permissions locally, you can still log in to the mysql database and have full permissions. In this way, you can do whatever you want with the database

.
Solution: If you don't need remote maintenance, delete the second entry,

delete from user where 
host="%" and user="root";

or add a strong password to it. Delete the third article,

delete from 
user where host="localhost" and user="";

The above is the content of the security analysis of Mssql and Mysql. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!



Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn