MySQL Database Naming

Question

This may be a stupid question, but I really haven't found an answer online. For years I've always named a new mysql database something cryptic. Usually only having one database per site, it hasn't been hard working with a cryptic naming practice - "x7s9u3or8wj". I was always worried about security but never had any concrete data stating that naming a database in a cryptic manner was necessary.

Now I'm building a web site which will require multiple databases. Using cryptic naming would make things harder vs. using a naming scheme like _users _content _common.

Would naming my databases with common words be a security risk? My username and password are always cryptic and secure.

Thanks!

Answer 1

Name your databases with names that make sense. Cryptic names are not going to resolve any security issues you may have or make poor code less vulnerable to SQL injection. Once I can inject into your SQL calls, I can find your DB names, no matter how silly you make them.

People using very widely spread CMS systems sometimes rename DMS and tables to try and confound crawlers trying well-known exploits, but this won't be an issue for your one-off system.

Answer 2

Naming cryptically your database can only increase security by obfuscation , and since that's not a realiable security feature, it just doesn't help much.

Anyway, as Ray says, if your code has any vulnerability that may grant you access to the database then the database names' will still be known.

Your security measures only work where you'd share your MySQL server with other users and you didn't want them to know what you stored there.

Using secure passwords is very nice.

Beware, your scripts will store the DB password in clear text. So, if you share your application space with other users, make sure that they can't access the file which stores the DB password. Besides, you could try other security measures, such as deleting the password information on runtime after establishing the DB connection.

ie, in PHP:

$db = "someCrypticPassword";
$conn = mysql_connect($host, $user, $pass, ...);
$db = "no-real-password";

Answer 3

I would have one table (masterDB) in a master database that holds all the individual DB's ID, Name and other data. Each time a new database is setup, the master DB table is updated with a new record. Then that record ID is appended to the new database name.

 masterDB.acct_id=1
 masterDB.acct_id=2
 etc, this table would hold the account name as well as the ID which is auto_incremented with each new record.

Then each new account database name is dynamically named with a standard prefix and appended with the Master DB ID.

acctDBName_1, acctDBName_2 etc..

Master DB can be referenced when looking up data about the subs; and the subs can just contain data relevant to each sub purpose. Good luck.