Specifications
For the purposes of setting up a Web database, it’s a good idea to set up at least one user per
Web application.
You might ask, “Why would I want to do this?”—the answer lies in privileges.
Introduction to MySQL’s Privilege System
One of the best features of MySQL is that it supports a sophisticated privilege system.
A privilege is the right to perform a particular action on a particular object, and is associated
with a particular user. The concept is very similar to file permissions.
When you create a user within MySQL, you grant her a set of privileges to specify what she
can and cannot do within the system.
Principle of Least Privilege
The principle of least privilege can be used to improve the security of any computer system.
It’s a basic, but very important principle that is often overlooked. The principle is as follows:
A user (or process) should have the lowest level of privilege required in order to perform
his assigned task.
It applies in MySQL as it does elsewhere. For example, to run queries from the Web, a user
does not need all the privileges to which root has access. We should therefore create another
user who only has the necessary privileges to access the database we have just created.
Setting Up Users: The GRANT Command
The GRANT and REVOKE commands are used to give and take away rights to and from MySQL
users at four levels of privilege. These levels are
• Global
• Database
• Table
• Column
We’ll see in a moment how each of these can be applied.
The GRANT command is used to create users and give them privileges. The general form of the
GRANT command is
GRANT privileges [columns]
ON item
TO user_name [IDENTIFIED BY ‘password’]
[WITH GRANT OPTION]
Using MySQL
P
ART II
188
11 7842 CH08 3/6/01 3:38 PM Page 188