tags:

views:

59

answers:

4
+1  Q: 

How to improve security of mysql database

I'm a student and we are making a simple information system for a hospital. How can we improve the security of mysql database so that confidential information will be protected.

A: 

Just a few off the top of my head...

  1. Use a good password
  2. Only allow access to the server from places it should be accessed from. eg. if it should only be accessed by a web server on the same machine, then don't allow mysql to be accessed from outside the machine.
  3. Give each person that can access it their own username and password and limit them to only the actions they need to perform. Disable DROP, DELETE etc and don't give average users permission to change databases, create tables, alter tables etc etc.
  4. Make sure you understand the user permissions system used in MySQL. It is a nightmare at first, but gives you a lot of control when you get it.
  5. Don't assume it is secure - it isn't - regardless of what you've done, you can always do more.
rikh  2010-01-28 09:27:20
A: 

Disallow connections from all ip addresses except application server ip address. And make sure that application working with DB is free of security holes. :)

Kirzilla  2010-01-28 09:27:40
+1  A: 

Make sure you don't allow SQL Injection from your application.

RSlaughter  2010-01-28 09:35:51
+1  A: 

Security is a complex issue and it is hard to answer vague questions.

A few generalisations.

If it makes sense to co-locate your database and application on the same server, then you should do so and disable all remote access to the database. The downside is that this limits your ability to scale using separate database and application servers.

Also you need to determine if you require replication. If you do then you need to allow access, whereas if you can get away with it you should not.

You need to be rigouous with your username and password regime. I actually use a password generator for both the user name and the password for application access, but how far you go is up to you.

You should assume that someone will get access to your database. Each "user" should only have the permissions required by the user to do that job. The less each user can do the safer you will be when someone does break in. You may need to create several users so each bit of your application can do their job, and only their job.

Lastly you should consider the ramifications of gaining access to your database. I would assume that health records require extremely high levels of security. You may consider some form of encryption / obfuscation in the database itself, but I have not ever needed to do this myself so I cannot comment furher.

Phil Wallach  2010-01-28 09:43:21

related questions

How to structure groups within a website? (admin, admin powers, user identity)
truncate all tables (most of which have constraints). How to temoprarily drop them
mysql command for showing current configuration
finding similar sentences in mysql
Is there an equivalent of Redgate SQL Compare for MySQL databases?
Is there a faster way to load mysqldumps?
Moving Raw MYSQL Data Files to a Different Directory
Mysql permission errors with 'load data'
MYSQL Optimizing a table with 137000 rows
How to make mysql accept connections externally
MySQL c++ how do I make a list of a list?
comparing data from mysql backups
mysql query browser edit button disabled
Rather difficult mySQL problem ...
MySQL permissions issue - should be non-issue
Autocomplete in MySQL under Windows
MySQL field management
How to monitor MySQL space?
Best MySQL Server Monitoring Tool
How do I restore a MySQL .dump file?
MySQL 5.0 instance manager like functionality for earlier versions?
How to know about memory consumption in mysql?
How to download a live MySQL db into a local test db on demand, without SSH?
What are the alternatives to using phpMyAdmin?
mysql software: any suggestions to oversee my mysql replication server?