Skip to main content

7 MySQL生产环境安全权限设置

tip

内容节选摘录自《Accessing data with MySQL》

When you are on a production environment, you may be exposed to SQL injection attacks. A hacker may inject DROP TABLE or any other destructive SQL commands. So, as a security practice, you should make some changes to your database before you expose the application to your users.

The following command revokes all the privileges from the user associated with the Spring application:

mysql> revoke all on db_example.* from 'springuser'@'%';COPY

Now the Spring application cannot do anything in the database.

The application must have some privileges, so use the following command to grant the minimum privileges the application needs:

mysql> grant select, insert, delete, update on db_example.* to 'springuser'@'%';COPY

Removing all privileges and granting some privileges gives your Spring application the privileges necessary to make changes to only the data of the database and not the structure (schema). When you want to make changes to the database:

  1. Regrant permissions.
  2. Change the spring.jpa.hibernate.ddl-auto to update.
  3. Re-run your applications.

Then repeat the two commands shown here to make your application safe for production use again. Better still, use a dedicated migration tool, such as Flyway or Liquibase.

参考资料