If you are a web developer or administrator, aside from administering your web server, you should also be administering your MySQL database in terms of security. This database is open source and is commonly used with the PHP web server scripting language; tons of useful applications are being developed with this kind of setup. This is good, but it opens up issues, which we'll discuss here along with their solutions.
Because of its immense popularity, MySQL is also a regular target for malicious users or hackers wanting to exploit your system and steal data. This type of exploit can be serious; it can include putting malicious software on your web server and using the website to host malware.
To avoid letting your database be compromised, this article outlines useful tips which every webmaster should be implementing to maximize database security. These tips come from experience, and from the MySQL developers themselves.
We will outline possible security issues with using MySQL and then propose feasible corrective actions.
Network eavesdropping to compromise connection
This is particularly true if you belong to an untrusted network. Someone may have the time to sniff your connection to the MySQL server and compromise the connections.
The default connection to the MySQL server is not encrypted (for most hosting companies), which could be a problem if you are sending sensitive data to the MySQL server.
To correct this problem, encrypt the connection or session to the MySQL server. You have two options when encrypting data, SSH or SSL.
SSH is short for "secure shell." If you prefer to work with a command line rather than a GUI, then you'll find that using SSH is great for encrypting the packets going in and out of the MySQL server.
SSL stands for "secure socket layer." It is very important for commercial websites, especially if you are running a business that accepts sensitive information, such as credit card numbers.
If you want to look at it as a system, MySQL server serves two entities: the connection between MySQL server and the MySQL client, and the connection between MySQL server and the web server. See the screen shot below for a visual representation.
Not all web hosts offer SSL connections in phpMyadmin. So if you need to encrypt some of your connections, you need to check with your web hosting company to see if they enable SSL by default when connecting to phpmyadmin.
Some free hosting companies disable this feature, so a free hosting account is more susceptible to an eavesdropping problem.
If you use Putty, you can use it to connect to the remote MySQL server using SSH protocol. A discussion of this topic is beyond the scope of this article, though you can easily download Putty. You can also find some Putty security tutorials if you're interested in pursuing this topic further.
Then, if you accept sensitive data from customers, you can purchase an SSL certificate and install it in your website, so that communication between web forms and the web server is encrypted.