I'm sorry if I am missing something obvious here, but can I create a database user for a database other than the default one created (e.g. databasename_user)? I'd like to create a user that has permission to a specific role only. When I try to do it in SQL it says that I do not have the appropriate permissions. Can I create my own database user? If so, how do I create a database user?
I'm afraid for each database we can only provide one DB user name. And that is the default user name.
It was discussed before but other features and enhancements took priority. I'll bring it up to our managers on our weekly meetings.
Similar question Just signed up with Winhost. So if I'm understanding things correctly, the userid I use to Create/Delete/etc. sql objects is the same id my public web app will connect with in the connection string?
One user only? I just signed up today and I guess I should have read this SHOW GRANTS FOR CURRENT_USER; yields GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, TRIGGER ON `your_db`.* TO 'your_account'@'%' any good SQL injection could easily DROP, ALTER, etc a few tables, no?
First off, they will need the password to your database to do that. But if you have a web application that connects to the MySQL database yes this can pose a potential hole. That is why it is important that you implement good coding practices on your web application. Many people think that the database needs to be setup more securely, but it is already setup as secure as it possibly can. Any more secure and no one including authorized people will be able to access it. Good coding practices consists of making sure the input box that connects to the database has filtering mechanisms that filters out known characters that can exploit a MySQL database. Also, routinely downloading the most recent security updates for a web application is very crucial. Developers tend to think once they have secured a web application and database, that they do not need to think about it anymore. Remember, security also requires vigilance. Lastly, from what I have seen the point of security failure does not come from the server but from the persons own computer. Often they inadvertently download a trojan/worm/virus that logs their key stroke or simply sends logins and passwords over the Internet. Once that occurs, no amount of security we or you implement will stop unauthorized access. So, it is always wise to always update the antivirus on your computer especially if you are using it for your business, and to make sure you have a good firewall up and running. I often suggest to people to have two computers. One for doing your development or business activities, and the other for your personal use. I know money is tight in a slow economy, but that investment will save you money or even your business.
yeah, but... Sometimes it's not up to us to implement good practices, E.g. wordpress. Somehow I don't think forum.Winhost.com SQL connection is running under a high elevated SQL account, or is it? It would be nice if Winhost would allow for the creation of additional MYSQL users and let us define what permission it can have. ps: thanks for replying Ray ...
I'll bring up the request of having additional MySQL users on our meeting, but as of right now we don't have any plans of offering this feature. At this time not enough customers are requesting for it. As for WordPress, true that it is difficult to enforce more secured coding, but WordPress is fairly reliable and secure as a web application. All I can say is to stay on top of the latest security patches for WordPress and you should be OK.
Well, it's not exactly best practice to use a root MySQL login for an application's database. That being said, this forum and the rest of our corporate site(s) do not run on production customer servers, so it isn't really comparable. As Ray pointed out, you don't really have to worry about SQL injection when you are using applications like WordPress or vBulletin or anything else that is being actively developed for a large user base. You'll typically see SQL injection vulnerabilities on custom written interfaces.
