When should you start to worry about MySQL security? When you start to use the MySQL server over an Internet connection. Why? Because that is when your MySQL server is going to be the most vulnerable to all kinds of attacks, such as alterations and denial of service.
The security issues that we will be discussing here will relate only to the MYSQL Server, but must be taken in the context of securing the entire server host against the above mentioned attacks and others.
How does MYSQL Security Work?
MYSQL security is based on the Access Control List (or ACL) for all connections, queries and many other operations that a user can perform. What does this mean? Well, it basically means that different users will have varying levels of access to certain databases and tables and that they will be limited to performing only certain operations. For example, a user with full privileges to a database will be able to perform a range of operations such as SELECT, DELETE, UPDATE and INSERT, while a user with limited privileges would only be able to use the SELECT operation and so on.
General Guidelines for MYSQL Security
On the machine running MYSQL, go into the bin directory where mysql is installed. For example if the installation directory is "c:mysql" then go into the "c:mysqlbin" directory and type the following:
Mysql -u root
Now press enter. If you get a "Welcome to MYSQL server " message, then it means that you have successfully connected to the server WITHOUT being asked for a password. This means that anyone can access your MYSQL server as the "root" user. This status gives this user complete control over your MYSQL server. Now, I don't have to tell you what it would mean if a hacker should gain this kind of access when you are hosting databases for companies. It is THE ultimate nightmare situation for a Database Administrator.
So to avoid this scenario:
Check your MYSQL installation manual for setting a password for your root account. It is absolutely critical that you do this if you are going to use MYSQL over the Internet.
Make sure that you understand the MYSQL access privilege system. Use the GRANT and REVOKE statements to control access to your MYSQL server.
Use the SHOW GRANT statement to check who has access to what. And use the REVOKE statement to remove those privileges that you deem not necessary.