242 Chapter 11 Advanced MySQL If you do this, you can then view the tables in this database by typing show tables; as usual. The results you get will look something like this: + + | Tables_in_mysql | + + | columns_priv | | db | | func | | host | | tables_priv | | user | + + Each of these tables except for the func table stores information about privileges. (That one stores user defined functions.) They are sometimes called grant tables.These tables vary in their specific function but all serve the same general function, which is to deter- mine what users are and are not allowed to do. Each of them contains two types of fields: scope fields, which identify the user, host, and part of a database; and privilege fields, which identify which actions can be performed by that user in that scope. The user table is used to decide whether a user can connect to the MySQL server and whether she has any administrator privileges.The db and host tables determine which databases the user can access.The tables_priv table determines which tables within a database a user can use, and the columns_priv table determines which columns within tables they have access to. The user Table This table contains details of global user privileges. It determines whether a user is allowed to connect to the MySQL server at all, and whether she has any global level privileges; that is, privileges that apply to every database in the system. We can see the structure of this table by issuing a describe user; statement. The schema for the user table is shown in Table 11.1. Tab le 11.1 Schema of the user Table in the mysql Database Field Type Host char(60) User char(16) Password char(16) Select_priv enum(‘N’,’Y’) Insert_priv enum(‘N’,’Y’) 14 525x ch11 1/24/03 3:37 PM Page 242 243 Understanding the Privilege System in Detail Update_priv enum(‘N’,’Y’) Delete_priv enum(‘N’,’Y’) Create_priv enum(‘N’,’Y’) Drop_priv enum(‘N’,’Y’) Reload_priv enum(‘N’,’Y’) Shutdown_priv enum(‘N’,’Y’) Process_priv enum(‘N’,’Y’) File_priv enum(‘N’,’Y’) Grant_priv enum(‘N’,’Y’) References_priv enum(‘N’,’Y’) Index_priv enum(‘N’,’Y’) Alter_priv enum(’N’,’Y’) Each row in this table corresponds to a set of privileges for a user coming from a host and logging in with the password Password.These are the scope fields for this table, as they describe the scope of the other fields, called privilege fields. The privileges listed in this table (and the others to follow) correspond to the privi- leges we granted using GRANT in Chapter 8. For example, Select_priv corresponds to the privilege to run a SELECT command. If a user has a particular privilege, the value in that column will be Y. Conversely, if a user has not been granted that privilege, the value will be N. All the privileges listed in the user table are global, that is, they apply to all the databas- es in the system (including the mysql database). Administrators will therefore have some Ys in there, but the majority of users should have all Ns. Normal users should have rights to appropriate databases, not all tables. The db and host Tables Most of your average users’ privileges are stored in the tables db and host. The db table determines which users can access which databases from which hosts.The privileges listed in this table apply to whichever database is named in a partic- ular row. The host table supplements the db table. If a user is to connect to a database from multiple hosts, no host will be listed for that user in the db table. Instead, she will have a set of entries in the host table, one to specify the privileges for each user-host combina- tion. The schemas of these two tables are shown in Tables 11.2 and 11.3, respectively. Tab le 11.1 Continued Field Type 14 525x ch11 1/24/03 3:37 PM Page 243 244 Chapter 11 Advanced MySQL Tab le 11.2 Schema of the db Table in the mysql Database Field Type Host char(60) Db char(64) User char(16) Select_priv enum(‘N’,’Y’) Insert_priv enum(‘N’,’Y’) Update_priv enum(‘N’,’Y’) Delete_priv enum(‘N’,’Y’) Create_priv enum(‘N’,’Y’) Drop_priv enum(‘N’,’Y’) Grant_priv enum(‘N’,’Y’) References_priv enum(‘N’,’Y’) Index_priv enum(‘N’,’Y’) Alter_priv enum(’N’,’Y’) Tab le 11.3 Schema of the host Table in the mysql Database Field Type Host char(60) Db char(64) Select_priv enum(‘N’,’Y’) Insert_priv enum(‘N’,’Y’) Update_priv enum(‘N’,’Y’) Delete_priv enum(‘N’,’Y’) Create_priv enum(‘N’,’Y’) Drop_priv enum(‘N’,’Y’) Grant_priv enum(‘N’,’Y’) References_priv enum(‘N’,’Y’) Index_priv enum(‘N’,’Y’) Alter_priv enum (‘N’,’Y’) The tables_priv and columns_priv Tables These two tables are used to store table-level privileges and column-level privileges, respectively.They work like the db table, except that they provide privileges for tables within a specific database and columns within a specific table respectively. 14 525x ch11 1/24/03 3:37 PM Page 244 245 Understanding the Privilege System in Detail These tables have a slightly different structure to the user, db,and host tables.The schemas for the tables_priv table and the columns_priv table are shown in Tables 11.4 and 11.5, respectively. Tab le 11.4 Schema of the tables_priv Table in the mysql Database Field Type Host char(60) Db char(64) User char(16) Tab le_name char(60) Grantor char(77) Timestamp timestamp(14) Tab le_priv set('Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop', 'Grant', 'References', 'Index', 'Alter') Column_priv set ('Select', 'Insert', 'Update', 'References') Tab le 11.5 Schema of the columns_priv Table in the mysql Database Field Type Host char(60) Db char(64) User char(16) Tab le_name char(64) Column_name char(64) Timestamp timestamp(14) Column_priv set('Select', 'Insert', 'Update', 'References') The Grantor column in the tables_priv table stores the user who granted this privi- lege to this user.The Timestamp column in both these tables stores the date and time when the privilege was granted. Access Control: How MySQL Uses the Grant Tables MySQL uses the grant tables to determine what a user is allowed to do in a two-stage process: 1. Connection verification. Here, MySQL checks whether you are allowed to con- nect at all, based on information from the user table, as shown previously.This is based on your username, hostname, and password. If a username is blank, it match- es all users. Hostnames can be specified with a wildcard character (%).This can be 14 525x ch11 1/24/03 3:37 PM Page 245 246 Chapter 11 Advanced MySQL used as the entire field—that is, % matches all hosts—or as part of a hostname, for example, %.tangledweb.com.au matches all hosts ending in .tangledweb.com.au. If the password field is blank, then no password is required. It’s more secure to avoid having blank users, wildcards in hosts, and users without passwords. 2. Request verification. Each time you enter a request, after you have established a connection, MySQL checks whether you have the appropriate level of privileges to perform that request.The system begins by checking your global privileges (in the user table) and if they are not sufficient, checks the db and host tables. If you still don’t have sufficient privileges, MySQL will check the tables_priv table, and, if this is not enough, finally it will check the columns_priv table. Updating Privileges: When Do Changes Take Effect? The MySQL server automatically reads the grant tables when it is started, and when you issue GRANT and REVOKE statements. However, now that we know where and how those privileges are stored, we can alter them manually.When you update them manually, the MySQL server will not notice that they have changed. You need to point out to the server that a change has occurred, and there are three ways you can do this.You can type FLUSH PRIVILEGES; at the MySQL prompt (you will need to be logged in as an administrator to do this). This is the most commonly used way of updating the privileges. Alternatively you can run either mysqladmin flush-privileges or mysqladmin reload from your operating system. After this, global level privileges will be checked the next time a user connects; data- base privileges will be checked when the next use statement is issued; and table and col- umn level privileges will be checked on a user’s next request. Making Your MySQL Database Secure Security is important, especially when you begin connecting your MySQL database to your Web site. In this section, we’ll look at the precautions you ought to take to protect your database. 14 525x ch11 1/24/03 3:37 PM Page 246 . issued; and table and col- umn level privileges will be checked on a user’s next request. Making Your MySQL Database Secure Security is important, especially when you begin connecting your MySQL. enum(‘N’,’Y’) Alter_priv enum (‘N’,’Y’) The tables_priv and columns_priv Tables These two tables are used to store table-level privileges and column-level privileges, respectively.They work like the. user, db ,and host tables.The schemas for the tables_priv table and the columns_priv table are shown in Tables 11.4 and 11.5, respectively. Tab le 11.4 Schema of the tables_priv Table in the mysql