Blog

Importing a text file containing a list of SQL commands into MySQL is a straightforward task. All you need to do is simply feed the file contents through pipe into MySQL command line client. For example: mysql app_production < dump.sql. The reasons for doing such imports can be very different - restoring MySQL backups created with mysqldump, manually replaying binary log events or performing database migrations during software roll-outs. While the task is simple, the import may not end successfully and when this happens, how to tell what the problem was?

MySQL lets database administrators define access rights on many levels – from the ability to run global commands down to access to individual columns. Some rights can be applied to many different objects, such as for example SELECT or UPDATE, which can be granted globally or restricted only to certain databases or tables, while others are only meant for one specific purpose. An example of the latter could be FILE privilege, which permits user to interact with the file system from inside a database instance. It only makes sense as the global right and not anywhere else.

In a world driven by computers, most companies rely on systems that are entirely built around databases. Losing data, or even as little as losing the full control over it, could bring any business down. Frequently databases hold sensitive information such as personal details, transaction statements, credit card data – among many other things. This is also why running certain types of databases is regulated in many countries by local as well as international laws – especially in Europe.

If for any reason you couldn't attend my talk at FOSDEM earlier today on improving MySQL security, I have already uploaded the slides. You can download them from here.

Without going into unnecessary details about CVE-2012-5612 bug; an authenticated database user could use this flaw to crash MySQL instance or even try executing some code. Is it a serious problem? Do you need to worry about it? I recently saw some comments that "My database is safe, only application can access it. Is it really a serious bug?" which scared me a bit. Such opinion might be fine but only for closed systems with limited access to MySQL, but what if you are hosting provider that share single MySQL instance between several accounts? Here, security matters a lot! Especially if you allow users to create test/demo accounts.