Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "MySQL"

From NetSec
Jump to: navigation, search
(Editing Databases and Tables)
(Editing Databases and Tables)
Line 161: Line 161:
 
   +----+-----------+----------------------------------+
 
   +----+-----------+----------------------------------+
 
   1 row in set (0.00 sec)
 
   1 row in set (0.00 sec)
 +
 +
If we wanted to change one of these values, we would use the UPDATE query instead. For example, say Selketraz forgets her password and needs to have it reset. We would simply alter her entry in the database with UPDATE to set her password to a default one.
 +
 +
{| class="wikitable"
 +
|
 +
<syntaxhighlight lang="SQL">
 +
UPDATE user SET hash=md5("default1%") WHERE username="Selketraz";
 +
</syntaxhighlight>
 +
|}
 +
 +
This employs the WHERE statement to select only certain rows - in effect, it says FOR every row in the entire table: IF username="Selketraz", THEN change the password hash to 'default1%'.
 +
 +
Finally, entry deletion. In order to delete an entry from a table, simply use the DELETE query, which is structured similarly to UPDATE:
 +
 +
{| class="wikitable"
 +
|
 +
<syntaxhighlight lang="SQL">
 +
DELETE FROM user WHERE username="Selketraz";
 +
</syntaxhighlight>
 +
|}

Revision as of 01:55, 20 October 2011

MySQL Setup

In order to run MySQL you will need a MySQL server to work with - you can establish a server on one of your own computers, or use a webserver with MySQL installed.

Setup on a personal computer

Once MySQL is installed on your computer and the MySQL daemon is running (in Arch, /etc/rc.d/mysqld start), the next step is to establish users. If you defined a root MySQL password on setup, you can use this to establish a new user; otherwise, just hit enter at any password prompts you encounter.

In order to set up your MySQL databases, you'll first need to log into MySQL - at this point the only MySQl user will be your root user, so log in with:

<syntaxhighlight lang="bash"> mysql -p -u root </syntaxhighlight>

This will log you int MySQl as root after a password prompt. At this point, you can establish your other users with the SQL CREATE USER query. For example, if you wanted to create a user, "K_Mitnick":

<syntaxhighlight lang="SQL"> CREATE USER K_Mitnick; </syntaxhighlight>

Note the terminating semicolon - this indicates to MySQl that you wish to send your input as a query. Another method of doing this is by terminating your queries with '\g' - there is no difference between the two, it is simply a matter of personal preference.

This user will be created with absolutely no privileges: they can log into your server but do little else.

Setting Permissions

In order to allow your users to execute queries and interact with your databases, you must indicate to the server just what they are allowed to do. The most simple form of this is

<syntaxhighlight lang="SQL"> GRANT ALL ON <database name> TO <username> IDENTIFIED BY '<password>'; </syntaxhighlight>

RPU0j.png This kind of heavy handed allowance gives the user total freedom to execute any SQL query that they wish. IT SHOULD NEVER be given to the normal user, as this will create a serious vulnerability in your database.

A more reasonable form of this would be

<syntaxhighlight lang="SQL"> GRANT SELECT ON <database name> TO <username> IDENTIFIED BY '<password>'; </syntaxhighlight>

This only gives access to the SELECT query for the user, which essentially makes their access read-only. The GRANT query can be used with any SQL query as a parameter in order to grant a user the ability to use that query.

After you have changed permissions, it is a good idea to ensure that MySQL is up-to-date with user permissions with

<syntaxhighlight lang="SQL"> FLUSH PRIVILEGES; </syntaxhighlight>

You can now log on as a user other than root.

Basic Database Operation

Display

From the main MySQL prompt you see when you first log in, you usually are not logged into a particular database. In order to see all of the databases in your server, type:

<syntaxhighlight lang="SQL"> SHOW DATABASES; </syntaxhighlight>

This will display all of the databases on a server.

There are two ways to reference a table. One is by using the format <database>. to refer to its full path. The other is to set the database you're working in as your currently active database with the USE command:

<syntaxhighlight lang="SQL"> USE <database>; </syntaxhighlight>

From this point onwards, you can simply refer to a table by name. Whichever method of reference you choose, the syntax to display the tables in a database is simple:

<syntaxhighlight lang="SQL"> SHOW TABLES; </syntaxhighlight>

Creating and Deleting Databases and Tables

In order to create a new table, we use the CREATE query. The syntax for this query is

<syntaxhighlight lang="SQL">

CREATE TABLE (<column1> <datatype>, <column2> <datatype>, etc...); </syntaxhighlight>

For example, if we were to create a table called 'user' containing usernames and hashed passwords, we might want it to have 3 sections - first of all, a number to reference the rows by, secondly a plaintext username, and finally, a hashed password. In order to generate the ID, we would use the special PRIMARY KEY feature of SQL - each table should have a primary key, which automatically updates itself for each entry and is used to refer to elements in a table. The username and password hash would be VARCHARs, which is an SQL datatype that can hold up to 65,535 characters per row. So for this table, our declaration would be as follows:

<syntaxhighlight lang="SQL"> CREATE TABLE user ( ID INT AUTO_INCREMENT PRIMARY_KEY, username VARCHAR(64), hash VARCHAR(512) ); </syntaxhighlight>

There are a great many SQL datatypes to be used to format the contents of a column. For a full list of datatypes, check The MySQL Website.

To delete a table, simply use the <syntaxhighlight lang="sql">DROP TABLE ;</syntaxhighlight> query.

Editing Databases and Tables

Now that you have a table, you can begin to put values into it. There are three methods by which you can manipulate the data in a table: one is the INSERT query, another is the UPDATE query, and the last in the DELETE query.

In order to add a new value into a table, you use the INSERT query, the syntax for which is:

<syntaxhighlight lang="SQL">

INSERT INTO [(<column name>, <column name>, etc...)] VALUES (<value 1>, <value 2>, etc...); </syntaxhighlight>

The column references are optional - if included, the VALUES will be inserted into the specified columns in order. If no column references are provided, the VALUES will simply be inserted from the first column onwards. Relating to our last example, the query we would use to add a new entry to our table would be something like:

<syntaxhighlight lang="SQL"> INSERT INTO user VALUES (null, "Selketraz", md5("lolwut")); </syntaxhighlight>

In this case, we do not insert anything into the first value - ID - as PRIMARY KEY will automatically generate its value. The next value, username, we fill with a value, and for the final value we use MySQL's native md5 function to create a hashed password.

Once we've done this, our table will look a little something like this:

mysql> SELECT * FROM user;

 +----+-----------+----------------------------------+
 | ID | username  | hash                             |
 +----+-----------+----------------------------------+
 |  1 | Selketraz | 05a208028929fd77cfb5b08096a837df |
 +----+-----------+----------------------------------+
 1 row in set (0.00 sec)

If we wanted to change one of these values, we would use the UPDATE query instead. For example, say Selketraz forgets her password and needs to have it reset. We would simply alter her entry in the database with UPDATE to set her password to a default one.

<syntaxhighlight lang="SQL"> UPDATE user SET hash=md5("default1%") WHERE username="Selketraz"; </syntaxhighlight>

This employs the WHERE statement to select only certain rows - in effect, it says FOR every row in the entire table: IF username="Selketraz", THEN change the password hash to 'default1%'.

Finally, entry deletion. In order to delete an entry from a table, simply use the DELETE query, which is structured similarly to UPDATE:

<syntaxhighlight lang="SQL"> DELETE FROM user WHERE username="Selketraz"; </syntaxhighlight>