Re: Stored Procedure Security Question
What you are asking for is exactly what DEFINER security does. The applicxation owner grants appuser the right to execute the procedure, but not to SELECT from any tables. The procedure is then run with the security attributes of the definer of the procedure, the application owner, even though it is the application user that runs it. This is no different than other DBMS systems, the difference being that you have the option of defining a procedure with INVOKER rights, in which case the procedure will run with the security attributes of the application user, and you need to grant that user access to any tables that are accessed within the procedure. So in essence, MySQL doesn't limit you compared to most other DBMS's, it gives you more options. Cheers /Karlsson [EMAIL PROTECTED] wrote: When creating a stored procedure, you can set the sql security characteristic to either definer or invoker. As an example, I have a stored procedure that does a select from a table, and an application user (appuser) that calls the stored procedure. If the sql security is set to invoker, then I have to give appuser both select and execute privileges. If the sql security is set to definer, then the definer needs select privileges and appuser only needs execute. What I'd like to be able to do is to give appuser the execute privilege and not have to give any privileges on the underlying tables to the definer. Is this possible? We do almost 100% of our work through stored procedures. It would be a lot easier to manage just the execute privilege. Are there reasons why this is not a good idea? This is how we manage security with our other DBMS and it's worked quite well, but it doesn't have the definer/invoker characteristic for stored procs either. Any suggestions about how to manage users/privileges would be appreciated. Donna -- __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Anders Karlsson ([EMAIL PROTECTED]) / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Sales Engineer /_/ /_/\_, /___/\___\_\___/ Stockholm ___/ www.mysql.com Cellphone: +46 708 608121 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Stored Procedure Security Question
When creating a stored procedure, you can set the sql security characteristic to either definer or invoker. As an example, I have a stored procedure that does a select from a table, and an application user (appuser) that calls the stored procedure. If the sql security is set to invoker, then I have to give appuser both select and execute privileges. If the sql security is set to definer, then the definer needs select privileges and appuser only needs execute. What I'd like to be able to do is to give appuser the execute privilege and not have to give any privileges on the underlying tables to the definer. Is this possible? We do almost 100% of our work through stored procedures. It would be a lot easier to manage just the execute privilege. Are there reasons why this is not a good idea? This is how we manage security with our other DBMS and it's worked quite well, but it doesn't have the definer/invoker characteristic for stored procs either. Any suggestions about how to manage users/privileges would be appreciated. Donna
Security Question
Title: Security Question Hi All -- I have been a member of this list for a while but I actually have a question that I can't answer. MySQL v4.1.14-nt on Win2k3 Server I've got someone who is trying to get in, but I have locked it down. Methods used include, but are not limited to: No Outside Root Access System DSNs for Web connectivity Strong Passwords for each user User Permissions different for each purpose Here's the question -- It's a DoS attack and it's locking up the system for other users (max_connections_allowed). Anything I can do extra via MySQL that will keep this person away, or perhaps free up the server? I would rather not increase the max_conn_allowed var as it's already at 800 (more than I need). Do not have access to the Router (I wish I did, ACLs are such a great thing), but have full Admin rights to the server. Thanks everyone! J.R. smime.p7s Description: S/MIME cryptographic signature
Re: Security Question
If it's a DoS attack then perhaps you should be speaking to your ISP and getting that resolved rather than trying to work around the problem on your side of things! Having said that, you could possibly impose host level restrictions in MySQL, but that could be a lot of work to modify your existing user base, especially since you'd need to gather all your remote host information first, and then do all the updates. Cheers. Armando J.R. Bullington wrote: Hi All -- I have been a member of this list for a while but I actually have a question that I can't answer. MySQL v4.1.14-nt on Win2k3 Server I've got someone who is trying to get in, but I have locked it down. Methods used include, but are not limited to: No Outside Root Access System DSNs for Web connectivity Strong Passwords for each user User Permissions different for each purpose Here's the question -- It's a DoS attack and it's locking up the system for other users (max_connections_allowed). Anything I can do extra via MySQL that will keep this person away, or perhaps free up the server? I would rather not increase the max_conn_allowed var as it's already at 800 (more than I need). Do not have access to the Router (I wish I did, ACLs are such a great thing), but have full Admin rights to the server. Thanks everyone! J.R. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
[EMAIL PROTECTED] wrote: MySQL has moved WELL past the 3.23.x lineage and is getting close to retiring the 4.0.x lineage (it's only a rumor). So I suggest you update Not completely a rumor; on August 2, Heikki wrote: As far as I know, one release of 4.0 will still be built. Considering the differences between 4.0.x and 4.1.x, I never saw the logic of the minor version change of 4.1 . At the moment the 4.0.x branche is useful as an easy step in the way of upgrading to 4.1. But I agree that upgrading to 4.1 is a sound advice. Regards, Jigal. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
Hi, I have installed binary mysql version 3.23.58 downloaded from www.mysql.org. In changelog from the documentation say that the release is from september 2003 and the security bug is in March 2005. What can I do ? How mysql provide updates? Thanks!! = Security info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
Alejandro [EMAIL PROTECTED] wrote on 08/16/2005 03:01:59 PM: Hi, I have installed binary mysql version 3.23.58 downloaded from www.mysql.org. In changelog from the documentation say that the release is from september 2003 and the security bug is in March 2005. What can I do ? How mysql provide updates? Thanks!! = Security info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 MySQL has moved WELL past the 3.23.x lineage and is getting close to retiring the 4.0.x lineage (it's only a rumor). So I suggest you update your installation, paying attention to all of the version-to-version gotchas listed here: http://dev.mysql.com/doc/mysql/en/upgrade.html There is little to no activity in support of the 3.23.x version of MySQL. Is there a VERY GOOD reason why you cannot or do not want to upgrade? Shawn Green Database Administrator Unimin Corporation - Spruce Pine
Re: security question CAN-2005-0709 CAN-2005-0710 CAN-2005-0711
I agree with you, I will upgrade . Thanks for the advice. On 8/16/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Alejandro [EMAIL PROTECTED] wrote on 08/16/2005 03:01:59 PM: Hi, I have installed binary mysql version 3.23.58 downloaded from www.mysql.org. In changelog from the documentation say that the release is from september 2003 and the security bug is in March 2005. What can I do ? How mysql provide updates? Thanks!! = Security info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711 MySQL has moved WELL past the 3.23.x lineage and is getting close to retiring the 4.0.x lineage (it's only a rumor). So I suggest you update your installation, paying attention to all of the version-to-version gotchas listed here: http://dev.mysql.com/doc/mysql/en/upgrade.html There is little to no activity in support of the 3.23.x version of MySQL. Is there a VERY GOOD reason why you cannot or do not want to upgrade? Shawn Green Database Administrator Unimin Corporation - Spruce Pine -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
Thomas, It would be more secure if you has the DB on another server that was locked down and only allowed access to the web server on the MySql port, (plus probably ssh access for admin). If you're going to the expense of audits, this must be fairly important, so the cost of the other server would not be too significant? Best regards, Andy -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:22 To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1.- the files would have tight unix security file permissions applied 2.- indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor ** *** This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. ** *** -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re[2]: Security Question
- Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! PD Sure. That's why you establish filesystem level access privileges so that PD only the mysql user can copy them in the first place. Some DBMSs allow to setup databases on a separate partition with its own filesystem that will have nothing in common with OS filesystem. OS is unable to read DBMS filesystem data. So getting root on OS does not give the hacker access to the DBMS file system and only DBMS users can access it. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Hi! On Nov 27, DeBug wrote: - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! PD Sure. That's why you establish filesystem level access privileges so that PD only the mysql user can copy them in the first place. Some DBMSs allow to setup databases on a separate partition with its own filesystem that will have nothing in common with OS filesystem. OS is unable to read DBMS filesystem data. So getting root on OS does not give the hacker access to the DBMS file system and only DBMS users can access it. No, getting root gives access to each and every byte on the hard drive. He can read the partition where the data are. And if he is prepared, he can interpret them, of course (we are not talikng about script kiddies here, do we ?). Or, he can patch the in-memory image of the running db process and access the data through it. Regards, Sergei -- __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Senior Software Developer /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Security Question
I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB many thanks in advalnce for info * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1. - the files would have tight unix security file permissions applied 2. - indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
On Wednesday 26 November 2003 13:22, Curley, Thomas wrote: Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying To look at it from another angle (and address the 'shouldn't be on the internet' issue), take the case of a webserver that has a script that can access the SQL server. Said SQL server is on a private, internal only network, with no access to the internet. Said script has a username and password that can read 'private' data. Someone is able to see the source if the script, and now has the username and password (assumption: the viewing is done from a local shell). How is having the SQL server hidden from the internet a benefit? So long as you provide any mechanism to access the server, you cannot consider the server data to be private, unless you redefine the word private. If you want to keep data on an SQL server, and not let people copy the database, then don't give them a login on the SQL server, and don't give them a username/password for connecting to the SQL engine. How do you stop someone from copying a piece of paper in an office? You lock it away from them. Or them from it. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Well, I'm not an expert on security, but I don't think this is a database issue. It is really a file/operating system issue. I don't think you can do anything in the database against copying the files. If somebody has access on file system level, the dbms is powerless. So I think you need to think about the OS. Stefan Am Wednesday 26 November 2003 14:22 schrieb Curley, Thomas: thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1.- the files would have tight unix security file permissions applied 2.- indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor *** ** This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. *** ** -- Stefan Kuhn M. A. Cologne University BioInformatics Center (http://www.cubic.uni-koeln.de) Zülpicher Str. 47, 50674 Cologne Tel: +49(0)221-470-7428 Fax: +49 (0) 221-470-7786 My public PGP key is available at http://pgp.mit.edu -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
One of the first things that I did at my former job was to turn off all external-facing network adapters to our DB machines. If you're fortunate enough that your DB resides on it's own box and not the webserver itself, then there's really no reason that you *need* to have it externally facing. There are PLENTY of solutions that you can put in place in order to still have remote access to those machines without them having an externally routable IP. While it is possible for a hacker to compromise one machine and then access the DB machine over your internal WAN at the hosting location, the more roadblocks you put between a potential hacker and your sensitive data, the better. -M -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1. - the files would have tight unix security file permissions applied 2. - indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
Mike Correct and this is the architecture. The internet facing box has a routable IP, the DB box is separate and is not ext routable. The issue the security review highlighted strongly was the fact that if a hacker got access to the box (however) then copying /var/lib/mysql/database would result in a major security breach To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) Thomas -Original Message- From: Mike Brum [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:36 To: Curley, Thomas; [EMAIL PROTECTED] Subject: RE: Security Question One of the first things that I did at my former job was to turn off all external-facing network adapters to our DB machines. If you're fortunate enough that your DB resides on it's own box and not the webserver itself, then there's really no reason that you *need* to have it externally facing. There are PLENTY of solutions that you can put in place in order to still have remote access to those machines without them having an externally routable IP. While it is possible for a hacker to compromise one machine and then access the DB machine over your internal WAN at the hosting location, the more roadblocks you put between a potential hacker and your sensitive data, the better. -M -Original Message- From: Curley, Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Security Question Importance: High thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1. - the files would have tight unix security file permissions applied 2. - indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites Thomas -Original Message- From: Fagyal, Csongor [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 12:51 To: Curley, Thomas Cc: [EMAIL PROTECTED] Subject: Re: Security Question Thomas, I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! Well, someone should not have access rights to the DB files on the first hand. Ideally I would like to know if there is any option in MySql to store the DB files in a secure format and one that needs a key or similiar to open the DB If someone was able to access your DB files, he would probably also be able to access that key (that you must store _somewhere_), wouldn't he? - Csongor * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] * This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. * -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http
Re: Security Question
On Wednesday 26 November 2003 13:43, Curley, Thomas wrote: Mike Correct and this is the architecture. The internet facing box has a routable IP, the DB box is separate and is not ext routable. The issue the security review highlighted strongly was the fact that if a hacker got access to the box (however) then copying /var/lib/mysql/database would result in a major security breach To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) In the end, it's all tradeoffs. You could put an encryption algorithm into your web interface, but then the key is public. However, cracking the DB server only gets you encrypted data. Tradeoff? Speed. Best data security practice (silly) - don't have the data in the first place. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) The chap was me :-) I'm sure it does on oracle. Once you have an Oracle installation and got hold of all database files (which is easy once an intruder got root on the machine) you have access to all data. Even oracle can't do anything about this, but there might be two difficulties with oracle compared to mysql: You need the oracle software (expensive, but do hackers buy software?) and it might be that the files are spread all over the computer and hard to find. But basically, it is the same with oracle (but I never used oracle, this is common sense). Stefan -- Stefan Kuhn M. A. Cologne University BioInformatics Center (http://www.cubic.uni-koeln.de) Zülpicher Str. 47, 50674 Cologne Tel: +49(0)221-470-7428 Fax: +49 (0) 221-470-7786 My public PGP key is available at http://pgp.mit.edu -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Hacker gets in this way: -[Webserver][rooted]-[DBServer][rooted]-File_Access(/var/lib/mysql/database) I'd say the major security breach is already when the Webserver is rooted.^ If he gets to your webserver he could still read WHATEVER DATA he wants from your database with the information he finds in your site's code. Look at below example: (Use Fixed Font) Internet | (80,443)--- - firewall w/ webports open | Webserver | (3306)- - another one allowing mysql access | DBServer Since you have a bulkhead between your servers your DBServer is completely* safe from anyone getting file-level access to it. But, since you have a working webserver with scripts and functions to access the database he can still access any data he wants from the database server. Stop worrying so much about mysql's filelevel security. If your webserver is rooted you are toast anyway! Mike ^Your security review needs to be reviewed? *Unless there's a security hole in mysql allowing code/command execution. On Wednesday 26 November 2003 14.43, Curley, Thomas wrote: Mike Correct and this is the architecture. The internet facing box has a routable IP, the DB box is separate and is not ext routable. The issue the security review highlighted strongly was the fact that if a hacker got access to the box (however) then copying /var/lib/mysql/database would result in a major security breach To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) Thomas -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Hi! On Nov 26, Curley, Thomas wrote: thanks for reply - the requirement comes from a security audit - so try to think in terms of a hacker Obviously and (I had assumed) 1.- the files would have tight unix security file permissions applied 2.- indeed the key would be stored on an internal tightly managed box (or device) Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt So the question again :- Any ideas on how to avoid having data files stored with absolutely no protection against copying Just as you said above - tight unix security file permissions. That is - database files should be readable ONLY by the dedicated mysql user. Thus if somebody breaks in he will need to be root to copy these files. And if he can get root - no encryption will help, he can get the key straight from the mysqld memory image (via /proc/*/mem) or patch the server (again via /proc/*/mem) to decrypt all the data for him, or hijack your connections to the server and record all the traffic or anything. If somebody got root - you lost. Until he did - unix permissions will help. If there is no solution to this then MySql should not be used on internet accessible boxes for dynamic web sites See above. Web server should be on this internet accessible box, shouldn't it ? And it (or a CGI program) should be able to talk to mysqld (which resides on a dedicated secure box), and it should know the password. So if somebody can get into the box with httpd - he'll be able to access mysqld too. Regards, Sergei -- __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Senior Software Developer /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Stefan Kuhn wrote: To the chap who siad its not a DB issue - I will check with Oracle but I'm sure that dropping in a directory in oracle will not give you full access to a database (a clear one that is) The chap was me :-) I'm sure it does on oracle. Once you have an Oracle installation and got hold of all database files (which is easy once an intruder got root on the machine) you have access to all data. Even oracle can't do anything about this, but there might be two difficulties with oracle compared to mysql: You need the oracle software (expensive, but do hackers buy software?) and it might be that the files are spread all over the computer and hard to find. But basically, it is the same with oracle (but I never used oracle, this is common sense). Stefan It isn't quite as simple as copying the datafiles to a new server and opening the Oracle database. There are controlfiles to deal with and a somewhat complex process to follow. But, Oracle documentation and Oracle database software is freely downloadable over the net, so a determined theif would be able to access your data without too much problem. It is far easier, however, if you can root an Oracle box, to become the software owner, change the sys/system password (database root), export the database and either import that file into another Oracle database or just do a strings on it to get readable data. You can do all that, anyway, faster than copying all of the datafiles off the server. -- Glenn Stauffer -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Security Question
At 07:22 AM 11/26/2003, you wrote: Another Assumption -- Encrypting / decrypting all data on the fly would be too expensive and grind the app to a halt Not true. There are some databases that can encrypt records on the fly without any speed degradation ( 1%) using either Blowfish or AES. The data record, index, blob fields (memos) are all encrypted so if someone walks away with your database files, they are all gibberish. The transmission of the password over the network is also encrypted. See www.advantagedatabase.com for a Windows/Linux solution. (Unfortunately their free ALS version has a license agreement that does NOT permit its use on a web server.) If you have physical access to the web server then simply entering the password will get the database app up and running. Or there are various means to send the encrypted time sensitive password to the webserver so it can open the database. Anyone sniffing for the password will be out of luck. I too would love to have MySQL encrypt the records on he fly, especially if it is on a shared webserver. OS security will only get you so far. Other database companies have implemented transparent record encryption quite effectively, and I'm still waiting for MySQL to realize the importance of encryption. Mike ( holding breath :-0 ) -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
Curley, Thomas wrote: I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! As all the other posters have mentioned, you should have tight file level security set up. However, if you use basic mysql user authentication, even copying the files over shouldn't allow them to view the information in a database since they would need the mysql user/passwd to do anything. Which got me to thinkingis this the case? If I am using MyISAM tables and just port them over to a different box with a different security scheme, would I be allowed to view those MyISAM tables? Also, is this the case for InnoDB as well? -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
At 16:13 -0500 11/26/03, Kevin Carlson wrote: Curley, Thomas wrote: I am trying to find a solution to the following security issue with MySql DB on linux - Someone copies the DB files to another box, starts a mysql instance, loads the DB and presto - views the 'private' data !!! As all the other posters have mentioned, you should have tight file level security set up. However, if you use basic mysql user authentication, even copying the files over shouldn't allow them to view the information in a database since they would need the mysql user/passwd to do anything. Which got me to thinkingis this the case? If I am using MyISAM tables and just port them over to a different box with a different security scheme, would I be allowed to view those MyISAM tables? Also, is this the case for InnoDB as well? Sure. That's why you establish filesystem level access privileges so that only the mysql user can copy them in the first place. If someone can copy your database files, you're hosed. All the attacker need do is start the server with --skip-grant-tables, and he can can connect to it with no password, and has complete access to any files managed by the server. -- Paul DuBois, Senior Technical Writer Madison, Wisconsin, USA MySQL AB, www.mysql.com Are you MySQL certified? http://www.mysql.com/certification/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Security Question
At 03:21 PM 11/26/2003, you wrote: If someone can copy your database files, you're hosed. All the attacker need do is start the server with --skip-grant-tables, and he can can connect to it with no password, and has complete access to any files managed by the server. Paul Curley, And of course if they have physical access to the machine they can remove your hard drive and put them into their own machine as a slave. Hot swapable drives makes removal fast and easy; you don't even need a screwdriver. So if your data is worth something, make sure there are good locks on the door and check everyone's bag on the way out.g If you think this can't happen, a mega bookstore opened up in town and they had their file sever/database sever sitting beside a desk in the common area. I guess they were in a hurry to set it up and get the terminals up and running. Well a few days later the system went down and in a few minutes the techie went over to check it out. Well, their tower computer had disappeared. Apparently someone had disconnected (or cut the cables) it and snuck it out the door under a trench coat. It took less than 60 seconds and their data was gone, customer lists, vendor info, and credit card data now belonged to someone else. I don't know what database they were using, but once your hard drives are gone or copied or backed up, your data is vulnerable unless you're using encryption that is independent of the OS. Mike -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Security Question: dynamic urls.
The mysql docs, in the security section, warns of special characters encoded in dynamic urls. IE., %27 (`'`). Is there a hazard with the string '%27' being in the database? Or is this just another case of protecting against the insertion of the `'` character? In other words, if I am already escaping all single quotes that go into the database, do I need to care about special url sequences? -Bluejack -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Security question: Possible to hide table structure? I couldn't find...
Hello, Think that we have a database named DATABASE1, and table named TABLE1, and fields named FIELD1, FIELD1,FIELD2,FIELD3,FIELD4 You want to give a specific permission to a user named USER1 For ex, you give only SELECT permission to USER1 for FIELD1 and FIELD4 in TABLE1 and DATABASE1. and you did not assignany other permission to USER1. Now everything is OK! USER1 can only select FIELD1 and FIELD4, and can not see data or change or etc.. to FIELD2 or FIELD3.. So we think that everything is OK! But, USER1 is still able to see the table structure of TABLE1. He see fields which i don't want him to see! As i searched internet related to this topic i couldn't find any satistfactory solution to this one. Anyone has idea to prevent USER1 to be able to see table structure and only permission to SELECT FIELD1 and FIELD4 as i assigned? Also there should be some default error message for these users when they try to select from another field. why? Because if my first question gets answered and solved, then, USER1 can try to SELECT FIELD3 FROM TABLE1.. .and it will say something like "you have no permission for FIELD3" insted of this, it can be "This field does not exist".. Thanks. QWERTY IncrediMail - Email has finally evolved - Click Here
default installation and security question
Greetings, I have been working with a software provider whose software db configuration uses the default mysql installation (ie, root, no password). They contend that since the mysql server itself is not shared (ie, installed on a vps for a single user) that there is no need to add a password. Are they correct? All the documentation I have every read recommends at the very least immediately adding a password. Please advise. Best regards, Nicole - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: default installation and security question
At 7:53 -0800 3/3/03, Nicole Lallande wrote: Greetings, I have been working with a software provider whose software db configuration uses the default mysql installation (ie, root, no password). They contend that since the mysql server itself is not shared (ie, installed on a vps for a single user) that there is no need to add a password. Are they correct? All the documentation I have every read recommends at the very least immediately adding a password. Please advise. No. They're incorrect. Running as root is an invitation for trouble. Running without a password is an invitation for trouble. Best regards, Nicole - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
re: Security question
Daniel, Monday, October 28, 2002, 1:06:10 AM, you wrote: DLS In my mysql.db file, I have some lines like: DLS %.private | somedb | someuser | Y | Y | Y | Y | Y | Y | N | Y | Y | Y DLS So, I have an internal domain called private, those hosts are in an DLS internal DNS, and can be reverse resolved. The only way I can manage to DLS connect to somedb as someuser is to put the fully qualified hostnames DLS in the /etc/hosts file, eg.: DLS 1.2.3.4 somehost.private DLS For some reason mysql is not seeing the DNS resolution. Yes, DNS is DLS really working as verified with nslookup for both forward and reverse DLS records. DLS The version of mysqld I am running is: DLS /usr/libexec/mysqld Ver 3.23.36 for redhat-linux-gnu on i386 DLS Can someone provide some insight or suggestions? Sure, there are some known problems with resolver on Linux. First, you should not compile MySQL by yourself. Broken resolver is one of the most common situations happening when MySQL is wrong-compiled. Second, there were a log of fixes to resolver part of MySQL since .36. So you have to upgrade your server to MySQL 3.23.53 with MySQL official binary release found at http://www.mysql.com/ That will help. -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Egor Egorov / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Security question
In my mysql.db file, I have some lines like: %.private | somedb | someuser | Y | Y | Y | Y | Y | Y | N | Y | Y | Y So, I have an internal domain called private, those hosts are in an internal DNS, and can be reverse resolved. The only way I can manage to connect to somedb as someuser is to put the fully qualified hostnames in the /etc/hosts file, eg.: 1.2.3.4 somehost.private For some reason mysql is not seeing the DNS resolution. Yes, DNS is really working as verified with nslookup for both forward and reverse records. The version of mysqld I am running is: /usr/libexec/mysqld Ver 3.23.36 for redhat-linux-gnu on i386 Can someone provide some insight or suggestions? -- For better security, contact me using my public encryption key. To obtain my public key, finger [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Security question
Mike, Thursday, August 15, 2002, 12:45:06 AM, you wrote: MH Hi there, MH I posted this a few days ago and recieved no responses, so I thought I would MH post it again: Mike, I answered you yesterday. MH Hi All; MH I am working on a front end to my database, but I am running into a bit of MH trouble. I have a user who has the proper privileges and grant option create MH other users, but I need to know this: can that user delete users he has MH created (or at least disable them), and can users change their own MH passwords? This is all being done for a VB front end, so I need to be able MH to do these things using SQL statements. Any help would be appreciated. To create other users you must have UPDATE privilege on database 'mysql' and GRANT_priv. To delete users you must have DELETE_priv and SELECT_priv (to use DELETE with WHERE clause) on the database 'mysql'. But in this case user can delete any user from database 'mysql' not only users that you created. User can change his password just using mysqladmin mysqladmin -uuser_name -pold_password password 'new_password' or SET statement: http://www.mysql.com/doc/en/Passwords.html -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Victoria Reznichenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Security question
Hi there, I posted this a few days ago and recieved no responses, so I thought I would post it again: Hi All; I am working on a front end to my database, but I am running into a bit of trouble. I have a user who has the proper privileges and grant option create other users, but I need to know this: can that user delete users he has created (or at least disable them), and can users change their own passwords? This is all being done for a VB front end, so I need to be able to do these things using SQL statements. Any help would be appreciated. Thanks, Mike Hillyer - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
FILE Permission Security Question
Hello everyone, I was wondering if anyone could help me out and explain a bit about the FILE permissions and how they relate to two particular scenarios: In both cases MySQL is running on SunOS 5.7 and running MySQL client version 3.22.23b MySQL UserA has permissions only on DatabaseA and is granted FILE permissions to all tables in that database Scenario 1: If UserA connects to the database using the MySQL client What are the restrictions on what files that user can access using a LOAD DATA command? Are they dependent at all on the UNIX file permissions for the user who is logged in and actually connects to the database using the mysql -u... etc command? Do the UNIX permissions for the user that started the MySQL server have any effect on this? Is there anything configuration wise that might allow LOADing in other DBs or system files? What defines where outfiles can be written? Scenario 2: If UserA's credentials are used to connect to the MySQL database using the Perl DBI Same question, what factors influence what files can be read in using a LOAD DATA command? What defines where outfiles can be written? In both scenarios is there anything that can compromise this security such as the MySQL server running as root? (I know that's a big no-no) Also, I know I'm running an ancient version of MySQL, can anyone help me find out when that version was released? 3.22.23b? It will help me convince the right people that it's time for an upgrade! I've checked in the release notes section but I can't find anything about when particular releases were made... Thanks, -Chris - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: FILE Permission Security Question
At 11:13 PM -0400 5/8/01, A. Chris Nichols wrote: Hello everyone, I was wondering if anyone could help me out and explain a bit about the FILE permissions and how they relate to two particular scenarios: In both cases MySQL is running on SunOS 5.7 and running MySQL client version 3.22.23b MySQL UserA has permissions only on DatabaseA and is granted FILE permissions to all tables in that database Nope. The FILE privilege is one of the global privileges. You either have it or you don't. Doesn't depend on which databases you have access to. (The indicator for whether or not you have the FILE privilege is stored in the user table along with the other global privileges. That table isn't db-specific.) Scenario 1: If UserA connects to the database using the MySQL client What are the restrictions on what files that user can access using a LOAD DATA command? Are they dependent at all on the UNIX file permissions for the user who is logged in and actually connects to the database using the mysql -u... etc command? Do the UNIX permissions for the user that started the MySQL server have any effect on this? Is there anything configuration wise that might allow LOADing in other DBs or system files? What defines where outfiles can be written? The user who is logged in has nothing to do with the LOAD DATA (this is not true for LOAD DATA LOCAL, but that's not what you're asking about). There are two reasons for this: 1) you connect to the server using a MySQL user name, not your UNIX login name. (They might be the same, but that's just coincidence.) 2) The server can only access files that are accessible by the account whose ID the server runs as. This has nothing to do with either your MySQL user name *or* your UNIX login name. What defines where outfiles can be written are the privileges of the UNIX account under which the server runs. There's nothing special about this. If the server runs as root, it can access anything (which is why it's a bad bad bad idea to run the server as root). If the server runs as an ordinary user, it has that user's privileges. Scenario 2: If UserA's credentials are used to connect to the MySQL database using the Perl DBI Same question, what factors influence what files can be read in using a LOAD DATA command? What defines where outfiles can be written? The privileges of the UNIX account under which the server runs. Doesn't matter what MySQL user you connect to the server as. In both scenarios is there anything that can compromise this security such as the MySQL server running as root? (I know that's a big no-no) Right. Don't run the server as root. Run it as an ordinary user to limit the amount of damage it can do. (Or that users with the FILE privilege can make it do.) Also, I know I'm running an ancient version of MySQL, can anyone help me find out when that version was released? 3.22.23b? It will help me convince the right people that it's time for an upgrade! I've checked in the release notes section but I can't find anything about when particular releases were made... Not sure exactly, but I know it was prior to December 1999. Thanks, -Chris -- Paul DuBois, [EMAIL PROTECTED] - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Security Question
Hi, I am typing the following sequence of commands and running into an access denied message. mysql -uusername -ppassword -hwww.myhost.com dbname the bit above works and takes me to my mysql prompt and i am logged into my server/database. then i try the following and i get the error message. load data local inifile "c:\text.txt" into table dbname.tblname fields terminated by ',' ; I have also tried ... infile "text.txt" and placed a copy of the text file in c:\mysql and c:\mysql\bin with no success. please could you let me know if you can see I am doing something wrong or if there is a way I can check to see if I have relevant access before I contact my ISP. Many thanks Sean Browne. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Antwort: Security Question
On 27.02.2001 12:00:38 wrote: then i try the following and i get the error message. WHAT error message? load data local inifile "c:\text.txt" into table dbname.tblname fields terminated by ',' ; Hmm, as you don't tell us the error message that you're getting, it's hard to help you. I don't know for sure, but maybe MySQL can't handle the DOS directory delimeter \ when it's unescaped? So, try "C:\\text.txt" instead of "c:\text.txt". Hmm, or maybe MySQL needs Unix style delimiters? Try "c:/text.txt". - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Security Question
LOAD DATA [LOW_PRIORITY] [LOCAL] INFILE 'file_name.txt' [REPLACE | IGNORE] INTO TABLE tbl_name [FIELDS [TERMINATED BY '\t'] [OPTIONALLY] ENCLOSED BY ''] [ESCAPED BY '\\' ]] [LINES TERMINATED BY '\n'] [IGNORE number LINES] [(col_name,...)] The LOAD DATA INFILE statement reads rows from a text file into a table at a very high speed. If the LOCAL keyword is specified, the file is read from the client host. If LOCAL is not specified, the file must be located on the server. (LOCAL is available in MySQL 3.22.6 or later.) Moreover u r missing the escape char "\" in the path so jsut type the foll and tell me it works . load data local inifile "c:\\text.txt" into table dbname.tblname fields . Additionally u could use "c:/text.txt" . Notice the forward slash cheers Sajan - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 4:30 PM Subject: Security Question Hi, I am typing the following sequence of commands and running into an access denied message. mysql -uusername -ppassword -hwww.myhost.com dbname the bit above works and takes me to my mysql prompt and i am logged into my server/database. then i try the following and i get the error message. load data local inifile "c:\text.txt" into table dbname.tblname fields terminated by ',' ; I have also tried ... infile "text.txt" and placed a copy of the text file in c:\mysql and c:\mysql\bin with no success. please could you let me know if you can see I am doing something wrong or if there is a way I can check to see if I have relevant access before I contact my ISP. Many thanks Sean Browne. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php