Databases

Many web applications require a SQL database. MySQL at USD runs on a separate server, requring a username and password.

Database security

Remember that we are running a shared server. Since your database files (or MySQL configuration files) need to be readable by the web server, they are vulnerable to anyone else at USD who runs web pages on the main server. You should:

  • Store database files and configuration files outside of your web area.
  • Make sure that the database files and configuration files are usable only by you and the web server.
  • Only allow read access to your database from the web if at all possible.
  • Ensure that the username and password in your web files, if you are using MySQL, will only work from the web server’s host.

The more of those you can do, the more secure your database will be. But on a shared server, you can never be completely secure. You should keep regular backups of your database. You should also not store any information which would be dangerous if stolen. No credit card information should be stored in a shared-server database, for example.

MySQL Accounts

When you receive your MySQL account information, you will receive the hostname, the database name, and three database accounts.

If you need to ‘hardcode’ a password into your web pages, you should use the “web read” password. Do not hardcode the full access password into your web pages, and only use the “web write” password if you need the web page to write to the database.

When you hardcode any password into a web file, you should change the file permissions on the file so that only you and ‘other’ can read the file. In Unix, this is ‘chmod uo+r,g-wrx FILENAME’.

Web read account

The web read account can read from the database but cannot change the database, and it can only be used from the main webserver. You will want to use this account for your web pages if the web pages do not need to change the data in the database. Even if the username and password is stolen, it will not allow the hacker to modify your database, nor will it let them read the database unless they have access to run programs on the main webserver.

In MySQL terms, the web read account only has “select” access.

Web write account

The web write account can access the database to view and change data in the database, and it can only be used from the main webserver. You will want to use this account for your web pages if the web pages need to change the data in the database. Note that if the username and password are stolen, this will give the hacker the ability to change data in your database if they can run a program on the main webserver that does this.

In MySQL terms, the web write account has select, update, delete, and insert access.

Web insert account

The web insert account can insert data only. It cannot read data, and it can only be used from the main webserver. You will want to use this account for your web pages if the web pages need only store information in the database. Note that if the username and password are stolen, this will give the hacker the ability to insert data in your database if they can run a program on the main webserver that does this. However, they will not be able to modify or delete data.

In MySQL terms, the web insert account has insert access.

Full access account

The full access account can view and change the data in the database, and it can also alter the structure of the database, including removing tables and adding or removing fields. This account will work from any sandiego.edu computer, so please keep this password extra safe.

MySQL administration tools

There are several tools available for MySQL administration. You should install one on your desktop workstation. Even if the tool allows installation on a Unix system, you should not install it on the main webserver. If you install administration tools in your account on the webserver, you will bypass the security of your database. We give you passwords that can only be used from the webserver. Administration tools on the webserver disable this security.

Request a MySQL database