On Tue, Feb 19, 2002 at 04:39:10PM +0100, Peter Banik wrote: > you should explicitly specify host/password in the GRANT statement, like > this: > > GRANT ALL ON xxx.* TO user@'localhost' IDENTIFIED BY 'password'; > FLUSH PRIVILEGES; > > This way the user will only granted access from the specified host, you > don't need to manually INSERT into the user table. (You'll also get rid > of the empty passwords.)
Hmm, I just ran another experiment: mysql> create database xxx; Query OK, 1 row affected (0.00 sec) mysql> grant all on xxx to xxx; Query OK, 0 rows affected (0.00 sec) mysql> select host,user,password from user where user='xxx'; +------+------+----------+ | host | user | password | +------+------+----------+ | % | xxx | | +------+------+----------+ 1 row in set (0.00 sec) So if I execute a GRANT statement without specifying a password, and MySQL decides that it needs to create a new user for this (host,user) pair, then it will create it with blank password! This seems to be insecure default behavior to me. I wonder if it would be better to change MySQL such that it will not create a user with blank password like this unless "IDENTIFIED BY ''" is explicitly specified? --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php