Security

Most of the work we do with MySQL is for the web. Whether you use Dreamweaver or PHP or any other means of displaying MySQL data on the web, your username and password must be embedded in your web files and readable to the web server.

This means that your username and password are readable by anybody who shares access to your server.

Because of this, most web hosting providers that give you MySQL access will give you multiple passwords. Each provider will have different policies, but you are likely to receive:

• a password that can do anything to your database, from anywhere on the net. Sometimes, you’ll need to enable it for anywhere on the net. You must safeguard this password carefully. Anybody who acquires this password will be able to not only see your data, but will be able to modify it. They will even be able to modify the structure of your database. You should never, ever use this password for your web pages.
• a password that can only see your database, and only from the web server. If your web page is only displaying data, not changing it, this is the password you want to use. If someone acquires this password without getting access to your web server, they can’t use it. If someone hacks into your server and gets your password, they can only use the password to see your data, not to change it.
• a password that can see your database and insert records, but cannot change records, and only from the web server. If your web page is displaying and collecting data, but is not modifying data, this is the password to use: a hacker who gains access to both it and your server can see data, and can add data, but cannot modify existing data.
• a password that can see your data and can modify data, and only from the web server. If your web pages need to be able to modify data, you’ll use this password for your web files. It means that anyone who acquires that password can modify data, but at least they cannot modify the structure of your tables.

You should ensure that the level of security you have on your server matches the level of security that you need. Remember that in any scenario other people who have accounts on your server will be able to do anything to your records that your web page can. You should only store information in your database that you are comfortable with, knowing that this is true.

If you are at a university, working on a departmental web page, often every other department has access to the same web server that you do. Whoever the other departments let work on their files, can see your files and thus can see your password.

If you are at a university, working on a personal or professional web page, or hosting your web pages on a third-party hosting provider, usually everyone else at the provider will have access to the same web server. Every one of them will be able to access your files and thus see your password. Store information only to the extent that you trust those others and that you would not mind them seeing--or changing.

Because of this, regular backups are essential. You should make backups as often as you change data.