SQL Server和MySQL的安全性分析_MySQL-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

SQL Server和MySQL的安全性分析_MySQL

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 01, 2016 pm 01:53 PM

safetydatabasematerial

　　数据库是电子商务、金融以及ERP系统的基础，通常都保存着重要的商业伙伴和客户信息。大多数企业、组织以及政府部门的电子数据都保存在各种数据库中，他们用这些数据库保存一些个人资料，还掌握着敏感的金融数据。但是数据库通常没有像做系统和网络这样在安全性上受到重视。数据是企业，组织的命脉所在，因此选择一款安全的数据库是至关重要的。大型网站一般使用Oracle或DB2，而中小型网站大多数使用更加灵活小巧的SQL Server数据库或者MySQL数据库。那么，在同样的条件下，微软的SQL Server和免费的MySQL哪个更加安全呢?

　　我在我的机子上面用管理员帐号默认安装了mssql和mysql以便在相同的情况下测试他们的安全性。我的系统配置如下：操作系统Microsoft Windows 2000 Version5.0，安装了sp4，ftp服务和iis服务，支持asp和php。系统只有一个管理员帐号admin，guest帐号没有禁用。

　　一.系统内部安全性分析

　　1.mysql数据库权限控制问题

　　mysql的权限控制是基于mysql这个数据库的，叫做授权表，一共包括包括六个表columns_priv，db，func，host，tables_priv和user。先使用desc user命令查看非常重要的user表的结构以便查询内容，现在可以查看他的权限设置了。使用命令select host,user,password,delete_priv,update_priv,drop_priv from user;这个命令查看了几个比较危险的权限，显示结果如下：

　　mysql> select host,user,password,delete_priv,update_priv,drop_priv from user;

　　+-----------+------+------------------+-------------+-------------+-----------+

　　+-----------+------+------------------+-------------+-------------+-----------+

　　| localhost | root |0e4941f53f6fa106 | Y | Y | Y |

　　| % | root | | Y | Y | Y |

　　| localhost | | | Y | Y | Y |

　　| % | | | N | N | N |

　　+-----------+------+------------------+-------------+-------------+-----------+

　　4 rows in set (0.00 sec)

　　第一条表示在本机使用root用密码登陆，拥有删除记录，修改记录，删除表等权限，好，这是安全的。第二条表示在任何主机使用root不需密码登陆，拥有删除记录，修改记录，删除表等权限。第三条表示在本机匿名登陆，拥有删除记录，修改记录，删除表等权限。最后条表示可以再任何主机匿名登陆，但是没有任何权限。显然，第二，三，四都是不安全的!第二条不用说，就第三条而言，就算你在本地是guest权限，但是也可以登陆mysql数据库，而且拥有全部权限。这样，就可以对数据库为所欲为了。

　　解决方法：如果你不需要远程维护，删除掉第二条,delete from user where　host="%" and user="root";或者给它加个强壮的密码。删除第三条，delete from　user where host="localhost" and user="";

　　2.mysql安装目录权限问题

　　mysql默认安装到c:mysql，但是c盘默认是everyone完全控制，由于权限的继承性，c:mysql对everyone也是完全控制的，显然这样是不安全的。因为恶意用户可以删除重要的数据文件。

　　解决方法：重新设置mysql目录的存取权限。或者将mysql安装到其他目录,如果你移动Mysql分发到D:mysql，你就必须使用用D:mysqlbinmysqld --basedir D:mysql来启动mysqld，甚至还需要修改它的配置文件。

　　3.mssql数据库权限控制问题

　　mssql数据库的权限控制是基于master库的syslogins表，拥有所有权限的帐号是sa，其他还有sysadmin，db_owner等不同权限帐号。但是，mssql数据库最高权限帐号sa的默认密码是空，这样如果安装的时候不注意，就会给数据带来毁灭性的灾难。恶意攻击者可以修改，删除所有数据，更加重要的是mssql帐号可以利用扩展执行系统命令。

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Adding Users to MySQL: The Complete TutorialMay 12, 2025 am 12:14 AM

Mastering the method of adding MySQL users is crucial for database administrators and developers because it ensures the security and access control of the database. 1) Create a new user using the CREATEUSER command, 2) Assign permissions through the GRANT command, 3) Use FLUSHPRIVILEGES to ensure permissions take effect, 4) Regularly audit and clean user accounts to maintain performance and security.

Mastering MySQL String Data Types: VARCHAR vs. TEXT vs. CHARMay 12, 2025 am 12:12 AM

ChooseCHARforfixed-lengthdata,VARCHARforvariable-lengthdata,andTEXTforlargetextfields.1)CHARisefficientforconsistent-lengthdatalikecodes.2)VARCHARsuitsvariable-lengthdatalikenames,balancingflexibilityandperformance.3)TEXTisidealforlargetextslikeartic

MySQL: String Data Types and Indexing: Best PracticesMay 12, 2025 am 12:11 AM

Best practices for handling string data types and indexes in MySQL include: 1) Selecting the appropriate string type, such as CHAR for fixed length, VARCHAR for variable length, and TEXT for large text; 2) Be cautious in indexing, avoid over-indexing, and create indexes for common queries; 3) Use prefix indexes and full-text indexes to optimize long string searches; 4) Regularly monitor and optimize indexes to keep indexes small and efficient. Through these methods, we can balance read and write performance and improve database efficiency.

MySQL: How to Add a User RemotelyMay 12, 2025 am 12:10 AM

ToaddauserremotelytoMySQL,followthesesteps:1)ConnecttoMySQLasroot,2)Createanewuserwithremoteaccess,3)Grantnecessaryprivileges,and4)Flushprivileges.BecautiousofsecurityrisksbylimitingprivilegesandaccesstospecificIPs,ensuringstrongpasswords,andmonitori

The Ultimate Guide to MySQL String Data Types: Efficient Data StorageMay 12, 2025 am 12:05 AM

TostorestringsefficientlyinMySQL,choosetherightdatatypebasedonyourneeds:1)UseCHARforfixed-lengthstringslikecountrycodes.2)UseVARCHARforvariable-lengthstringslikenames.3)UseTEXTforlong-formtextcontent.4)UseBLOBforbinarydatalikeimages.Considerstorageov

MySQL BLOB vs. TEXT: Choosing the Right Data Type for Large ObjectsMay 11, 2025 am 12:13 AM

When selecting MySQL's BLOB and TEXT data types, BLOB is suitable for storing binary data, and TEXT is suitable for storing text data. 1) BLOB is suitable for binary data such as pictures and audio, 2) TEXT is suitable for text data such as articles and comments. When choosing, data properties and performance optimization must be considered.

MySQL: Should I use root user for my product?May 11, 2025 am 12:11 AM

No,youshouldnotusetherootuserinMySQLforyourproduct.Instead,createspecificuserswithlimitedprivilegestoenhancesecurityandperformance:1)Createanewuserwithastrongpassword,2)Grantonlynecessarypermissionstothisuser,3)Regularlyreviewandupdateuserpermissions

MySQL String Data Types Explained: Choosing the Right Type for Your DataMay 11, 2025 am 12:10 AM

MySQLstringdatatypesshouldbechosenbasedondatacharacteristicsandusecases:1)UseCHARforfixed-lengthstringslikecountrycodes.2)UseVARCHARforvariable-lengthstringslikenames.3)UseBINARYorVARBINARYforbinarydatalikecryptographickeys.4)UseBLOBorTEXTforlargeuns

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks agoByDDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

How to fix KB5055612 fails to install in Windows 10?

3 weeks agoByDDD

Nordhold: Fusion System, Explained

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

Dreamweaver Mac version

Visual web development tools

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.