MYSQL restrict user access to information_schema
Question
I have a MySQL server (Server version: 5.1.68-community; MySQL client version: 5.0.51a). Is there any way to restrict ALL access to information_schema for all users?
What happens is that, some customer sites are getting hacked frequently through SQL Injection and they can get the database structure from information_schema table/view. Of course, we need to change the PHP codes to prevent SQL Injection, but still I would like to restrict access to information_schema server-wide.
Please guide me... thanks in advance
2 answers
solution1
19 ACCPTED 2014-02-13 13:33:02
The INFORMATION_SCHEMA is a virtual database that holds meta-information about all databases accessible to current user. Ie it's build dynamically according to user's permissions. It isn't real database. You should not try to change permissions to it in any case - it's updated dynamically according to server's state.
So your question has little sense. If someone will compromise some of users and get system control with it's permissions, he will be able to access to INFORMATION_SCHEMA for that user by definition (as that user can access any thing which is allowed by it's permissions - INFORMATION_SCHEMA is "a projection" of user's permissions).
solution2
-2 2016-02-24 17:23:21
One cannot prevent access to the information_schema (yet), but in the case of sql-injections through GET Request, it is easy to do a:
RewriteCond %{REQUEST_FILENAME} !handle_error\.php
RewriteCond %{QUERY_STRING} information_schema
RewriteRule ^(.*?) /handle_error.php [R=301,L]
in your .htaccess and this should save one some headache.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.