Before the last couple of years nobody thought about this stuff, like many web related security issues. Lots of programmers drift along blissfully unaware of what can go wrong until something bad happens
Some well known recent problems with popular web apps (large install base) and well known sites
Learn the basics (mostly applicable regardless of implementation language)
Motivate you to learn more
Far, far too much to cover in the time. This is just an introduction.
Don’t run mysqld as (Unix) root . Run it as a user created specifically for this purpose, e.g. mysql . Don’t use this account for anything else. (Note that the MySQL root user has nothing to do with Unix users so this doesn’t affect MySQL internally at all.)
Set permissions on the database directories so that only your mysqld user (e.g. mysql ) can access them.
Disable symlinks to tables with --skip-symbolic-links .
Disallow access to port 3306 (or whatever port you have MySQL running on) except from trusted hosts
All MySQL accounts need a password, especially root . (Don’t forget anonymous users, either.)
Grant users the minimum level of privilege required to do their job. (Principle of Least Privilege)
Some privileges require special attention:
Only the root user should have access to the mysql database, which contains privilege information
Keep FILE, PROCESS, and SUPER for administrative users. FILE enables file creation, PROCESS allows you to see executing processes (including passwords in plaintext), and SUPER can be allowed to e.g. terminate client connections.
Avoid wildcards in hostnames in the host table.
Use IPs instead of hostnames in the host table if you don’t trust your DNS