MySQL for Other Applications: Security

  1. Multiple tables
  2. MySQL for Other Applications
  3. Other Applications

Most of the work we do with MySQL is for the web. Whether you use Dreamweaver or PHP or any other means of displaying MySQL data on the web, your username and password must be embedded in your web files and readable to the web server.

This means that your username and password are readable by anybody who shares access to your server. Because of this, most web hosting providers that give you MySQL access will give you multiple passwords. You are likely to receive one or more of these:

• a password that can do anything to your database, from anywhere on the net. Sometimes, you’ll need to enable it for anywhere on the net. Safeguard this password carefully. Anybody who acquires it will be able to see your data, modify it, and even modify the structure of your database. You should never, ever use this password for your web pages.

• a password that can only see your database, and only from the web server. If your web page only displays data, this is the password you want to use. If someone acquires this password without getting access to your web server, they can’t use it. If someone hacks into your server and gets your password, they can only use the password to see your data, not to change it.

• a password that can see your database and insert records, but cannot change records, and only from the web server. If your web page is displaying and collecting data, but is not modifying data, this is the password to use: a hacker who gains access to both it and your server can see data, and can add data, but cannot modify existing data.

• a password that can see and modify data, only from the web server. If your web pages need to modify data, you’ll use this password for your web files. It means that anyone who acquires that password can modify data, but at least they cannot modify the structure of your tables.

You should ensure that the level of security you have on your server matches the level of security that you need. Remember that in any scenario other people who have accounts on your server will be able to do anything to your records that your web page can. You should only store information in your database that you are comfortable with, knowing that this is true.

If you are at a university, working on a departmental web page, often every other department has access to the same web server that you do. Whoever the other departments let work on their files, can see your files and thus can see your password.

If you are at a university, working on a personal or professional web page, or hosting your web pages on a third-party hosting provider, usually everyone else at the provider will have access to the same web server. Every one of them will be able to access your files and thus see your password. Store information only to the extent that you trust those others and you would not mind them seeing—or changing that information.

Because of this, regular backups are essential. You should make backups as often as you change data.

  1. Multiple tables
  2. MySQL for Other Applications
  3. Other Applications