IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [databases]

Security related aspects of databases and database access.

Databases are designed to store huge amounts of structured data in a way that is easily accessible.

The most common type of databases are relation databases such as Oracle and MySQL. The standardized language to access these database is SQL (Structure Query Language).

Security aspects related to databases include various approaches for access control and secure stored procedures. There is a dedicated tag for the injection of query fragments into sql statements: .

751 questions
41
votes
8 answers

Does password-protecting a database living next to the application add any security?

I've seen setups where a password-protected database resided on the same server as an application holding the credentials to said database in plain text. What are the benefits of such a setup over a simply unprotected database? Apart of some…
Cedric Reichenbach
  • 542
  • 4
  • 8
36
votes
4 answers

Is using a DB prefix for tables more secure?

I see systems that use database prefixes. Some call it a security feature. Some call it a way to have multiple installations in one database. The main pro is that it's harder to guess the whole table name. On the other hand, if you have some kind of…
janw
  • 463
  • 4
  • 5
13
votes
3 answers

What are the security benefits to a separate user database?

In the app I'm writing I separated the user and main databases a long time ago for "security reasons". However its getting harder and harder to justify the overhead and the difficulty of managing such a setup. For some quick detail this is a PHP web…
TheLQ
  • 1,239
  • 1
  • 12
  • 21
6
votes
1 answer

Best practice for direct SQL connection from DB to specific IPs on Internet

I am using AWS and looking for any comments on best practices regarding permitting connections to my DB from specific IPs on the Internet. I could give the DB a public IP and just lock down the firewall to only allow connections from the specific…
jay-charles
  • 1,229
  • 1
  • 11
  • 15
6
votes
1 answer

Databases in DMZ and Intranet

In a study project i have to plan a network for a small company (around 50 employees) and i am currently at the point, where i want to design the database architecture. I read that its common to have a web server in the DMZ. The company has got an…
tellob
  • 161
  • 1
  • 1
  • 3
6
votes
6 answers

What's more vulnerable; the data or the DBMS?

When data breaches occur, is a database always involved? In the case of databases being involved, do hackers figure out how the data is stored and read this or do they just figure out how to make queries to the database via the DBMS? Is accessing…
heretoinfinity
  • 179
  • 5
3
votes
4 answers

"Out of the box" database security

When you install a RDBMS (say, PostgreSQL) and create a database, without taking any additional steps, what can you assume about the security/confidentiality of the data? I mean, is it encrypted by default, so even a person with physical access to…
mgibsonbr
  • 2,925
  • 2
  • 22
  • 35
2
votes
2 answers

Securing microsoft access database

Let's say I have a website which is written in ASP and I keep my .mdb database in a random directory like /asd8asd/dkdgk32/asdmv/askdasd/kasldk.mdb Can an attacker find database's location without guessing/brute forcing?
mayhem
  • 21
  • 1
2
votes
0 answers

Database Security for Public Databases

I recently moved some of my projects over a to serverless platform. I immediately noticed a few issues though. The biggest being database security. Prior to this I had been hosting my sites and database on a single server with the database only…
cyw
  • 121
  • 2
2
votes
1 answer

Security flaws of storing strings and some of its substrings using Microsoft SQL Server Transparent Data Encryption?

I am creating a database table with an encrypted value, say users: Say John encrypted is U2FsdGVkX193AOGlBRE1RNScJRGN9vSB4erIljJwaKw=. UserId | Name ------ | -------------------------------------------- 1 |…
Shreyash Sharma
  • 123
  • 2
2
votes
2 answers

Should I implement access control on databases inside a trusted network?

Excerpt from Redis' security article: Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an…
Chris Smith
  • 222
  • 2
  • 9
2
votes
2 answers

Filtering of port 3306 and opening only in times of need - The ultimate defence from DB hacking? (question had major update)

I am not from the IS field and want to ask: Can we conclude that filtering of port 3306 and unfiltering only in times of need is the ultimate defense from DB hacking? Let's assume I unfilter the port for 2-3 hours total in one year, just to make…
user123574
2
votes
0 answers

Is it a bad practice to not use a separate database server?

An isolated environment for just the application data sounds good, but does it have a significant security advantage compared to the everything-in-one-place model?
Rápli András
  • 2,154
  • 1
  • 12
  • 26
2
votes
2 answers

Benefit of randomly generated column names?

Would it be of any benefit to have tables with randomly generated names? For example: An SQL injection might be looking for: SELECT * FROM users WHERE 1=1 But if users is really rifchodafsnhe (or some other nonsense) their injection wouldn't…
xyhhx
  • 231
  • 2
  • 5
1
vote
0 answers

Is it safe to store database connection in database?

I'm developing a SaaS platform using hybrid multi-tenancy model. My SaaS platform has 2 main databases: 1 contains metadata and the other (called default) is a shared database that contains the info required to make the platform work, the remaining…
Ger
  • 193
  • 9
1
2