Reviewing MySQL Security

Introduction
As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:

Privileges
Grant_priv: Allows users to grant privileges to other users. This shoudl be appropriately restricted to the DBA and Data (Table) owners. Select * from user where Grant_priv = 'Y'; Select * from db where Grant_priv = 'Y'; Select * from host where Grant_priv = 'Y'; Select * from tables_priv where Table_priv = 'Grant';

Alter_priv:Determine who has access to make changes to the database structure (alter privilege) at a global, database and table.

Select * from user where Alter_priv = 'Y'; Select * from db where Alter _priv = 'Y'; Select * from host where Alter_priv = 'Y'; Select * from tables_priv where Table_priv = 'Alter';