Database Security
5 April 2006
Adina Cr ăiniceanu www.cs.usna.edu/~adina
1

Rights
Enforced
 Database security only authorized users can perform authorized activities
Responsibilities
Not Enforced
 Developing database security
 Determine users’ rights and responsibilities
 Enforce security requirements using security features from both DBMS and application programs
Kroenke, Database Processing 2

 DBMS products provide security facilities
 They limit certain actions on certain objects to certain users or groups (also called roles )
 Almost all DBMS products use some form of user name and password security
 Examples?
Kroenke, Database Processing 3

 GRANT – create users and grant them privileges
 REVOKE – remove privileges
 Privileges:
 ALL
 SELECT
 INSERT, DELETE, UPDATE
 CREATE, ALTER, DROP
 USAGE //no privileges
Kroenke, Database Processing 4

GRANT privilege_type
ON object
TO user
[IDENTIFIED BY ' password ']
[WITH GRANT OPTION]
Example:
GRANT ALL ON dbmusic.* TO adina
Kroenke, Database Processing 5

REVOKE priv_type
ON object
FROM user [, user ]
Example:
REVOKE INSERT ON dbmusic.* FROM adina
Kroenke, Database Processing 6

 Create database vp5fund and tables
 Log in MySQL from command line as root
 Grant select privileges on table Items to user mxxx with password mxxx
 Logout
 Log in MySQL as mxxx with password mxxx
 SELECT * FROM Items
 INSERT into Items VALUES(‘aa’,5) – What happens?
Kroenke, Database Processing 7

Kroenke, Database Processing 8

 Run DBMS behind a firewall, but plan as though the firewall has been breached
 Apply the latest operating system and
DBMS service packs and fixes
 Use the least functionality possible
 Protect the computer that runs the DBMS
Kroenke, Database Processing 9

 Manage accounts and passwords
 Use a low privilege user account for the DBMS service
 Protect database accounts with strong passwords
 Monitor failed login attempts
 Frequently check group and role memberships
 Audit accounts with null passwords
 Assign accounts the lowest privileges possible
 Limit DBA account privileges
 Planning
 Develop a security plan for preventing and detecting security problems
 Create procedures for security emergencies and practice them
Kroenke, Database Processing 10

 If DBMS security features are inadequate, additional security code could be written in application program
 Example In Project 2?
 Use the DBMS security features first
 Less chance for infiltration
 Faster
 Cheaper
 Higher quality results than developing your own
Kroenke, Database Processing 11

 SQL injection attack occurs when data from the user is used to modify a SQL statement
 User input that can modify a SQL statement must be carefully edited to ensure that only valid input has been received and that no additional SQL syntax has been entered
 Example: users are asked to enter their names into a
Web form textbox
 User input: Benjamin Franklin ' OR TRUE '
SELECT * FROM EMPLOYEE
WHERE EMPLOYEE.Name = 'Benjamin Franklin' OR TRUE;
 Result: every row of the EMPLOYEE table will be returned
Kroenke, Database Processing 12

 Write PHP code to check user input, so
SQL injection attack not possible
Kroenke, Database Processing 13

 SQL
 SQL Views
 SQL Triggers
 SQL Stored Procedures
 PHP/MySQL
 Database Administrator tasks
 Manage database structure
 Concurrency control
Kroenke, Database Processing 14