[MySQL] 存储过程、函数、触发器跟视图的权限检查-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

[MySQL] 存储过程、函数、触发器跟视图的权限检查

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 07, 2016 pm 04:14 PM

mysql function storage Permissions examine view trigger process

[MySQL] 存储过程、函数、触发器和视图的权限检查当存储过程、函数、触发器和视图创建后，不单单创建者要执行，其它用户也可能需要执行，换句话说，执行者有可能不是创建者本身，那么在执行存储过程时，MySQL是如何做权限检查的？在默认情况下，MySQL将检查

[MySQL] 存储过程、函数、触发器和视图的权限检查

当存储过程、函数、触发器和视图创建后，不单单创建者要执行，其它用户也可能需要执行，换句话说，执行者有可能不是创建者本身，那么在执行存储过程时，MySQL是如何做权限检查的？

在默认情况下，MySQL将检查创建者的权限。假设用户A创建了存储过程p()访问表T，并把execute的权限赋给了B，即使用户B没有访问表T的权限，也能够通过执行存储过程p()访问表T。

下面看一个例子：

首先，我们创建一个表test.t和两个用户a,b，并把权限赋予用户a

root@(none) 05:39:45>create table portal.t as select * from mysql.user;
Query OK, 25 rows affected (0.16 sec)
Records: 25  Duplicates: 0  Warnings: 0

root@(none) 05:39:55>create user a identified by 'a';
Query OK, 0 rows affected (0.02 sec)

root@(none) 05:40:51>create user b identified by 'b';
Query OK, 0 rows affected (0.00 sec)

root@(none) 05:40:59>grant all privileges on portal.* to a;
Query OK, 0 rows affected (0.01 sec)

Copy after login

接着，以用户a创建存储过程p()：

DELIMITER $$
USE portal$$
CREATE PROCEDURE `p`()
BEGIN
  SELECT COUNT(*) FROM portal.t;
END$$
DELIMITER ;

Copy after login

并把执行该存储过程的权限赋给用户b:

root@(none) 05:54:28>grant execute on procedure portal.p to b;
Query OK, 0 rows affected (0.00 sec)

Copy after login

这时候，已用户b连接后通过执行存储过程可以获得t表的访问权限：

b@(none) 05:58:20>call portal.p();
+----------+
| COUNT(*) |
+----------+
|       25 |
+----------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Copy after login

但如果直接访问将出现权限错误：

b@(none) 05:58:40>select count(*) from portal.t;
ERROR 1142 (42000): SELECT command denied to user 'b'@'192.168.1.15' for table 't'

Copy after login

MySQL这样的设置有一定的道理，但同时也带来了安全隐患：比如如果一个用户通过创建一个存储过程来访问敏感数据，则可以调用该存储过程的所有用户都能访问敏感数据。

如果你不想使用MySQL的默认设置，可以在定义存储程序和视图时在create语句里使用definer = account字句指定定义者，这样在执行存储程序和视图时，将检查definer的权限，而不是创建者的权限。

举个例子，当你用root 创建一个存储过程时，在默认情况下，在执行该存储过程时，执行者将获得root的权限，但当你加上definer = A后，执行者只能获得A的权限。

但是definer还是没能完全解决上面提到的安全隐患，别急，MySQL还提供了SQL SECURITY选项来控制权限，它有两个取值:

1）DEFINER：以定义者的权限执行（默认）

2）INVOKER：以调用者的权限执行

如果你不想在存储程序或试图在执行时的权限多于调用者，就设置SQL SECURITY INVOKER即可。

例如，下面的试图将访问mysql.user，并设置了SQL SECURITY INVOKER选项，这样如果调用者没有访问mysql.user的权限，则无法通过权限检查。

create sql security invoker view v
  as select * from mysql.user;

Copy after login

注意：因为触发器和事件是由系统调用的，没有调用者的概念，所以它们没有SQL SECURITY选项。

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks ago By DDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Chat Commands and How to Use Them

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7526

CakePHP Tutorial

1378

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

Related knowledge

MySQL: Simple Concepts for Easy Learning Apr 10, 2025 am 09:29 AM

MySQL is an open source relational database management system. 1) Create database and tables: Use the CREATEDATABASE and CREATETABLE commands. 2) Basic operations: INSERT, UPDATE, DELETE and SELECT. 3) Advanced operations: JOIN, subquery and transaction processing. 4) Debugging skills: Check syntax, data type and permissions. 5) Optimization suggestions: Use indexes, avoid SELECT* and use transactions.

How to open phpmyadmin Apr 10, 2025 pm 10:51 PM

You can open phpMyAdmin through the following steps: 1. Log in to the website control panel; 2. Find and click the phpMyAdmin icon; 3. Enter MySQL credentials; 4. Click "Login".

How to create navicat premium Apr 09, 2025 am 07:09 AM

Create a database using Navicat Premium: Connect to the database server and enter the connection parameters. Right-click on the server and select Create Database. Enter the name of the new database and the specified character set and collation. Connect to the new database and create the table in the Object Browser. Right-click on the table and select Insert Data to insert the data.

How to create a new connection to mysql in navicat Apr 09, 2025 am 07:21 AM

You can create a new MySQL connection in Navicat by following the steps: Open the application and select New Connection (Ctrl N). Select "MySQL" as the connection type. Enter the hostname/IP address, port, username, and password. (Optional) Configure advanced options. Save the connection and enter the connection name.

MySQL and SQL: Essential Skills for Developers Apr 10, 2025 am 09:30 AM

MySQL and SQL are essential skills for developers. 1.MySQL is an open source relational database management system, and SQL is the standard language used to manage and operate databases. 2.MySQL supports multiple storage engines through efficient data storage and retrieval functions, and SQL completes complex data operations through simple statements. 3. Examples of usage include basic queries and advanced queries, such as filtering and sorting by condition. 4. Common errors include syntax errors and performance issues, which can be optimized by checking SQL statements and using EXPLAIN commands. 5. Performance optimization techniques include using indexes, avoiding full table scanning, optimizing JOIN operations and improving code readability.

How to recover data after SQL deletes rows Apr 09, 2025 pm 12:21 PM

Recovering deleted rows directly from the database is usually impossible unless there is a backup or transaction rollback mechanism. Key point: Transaction rollback: Execute ROLLBACK before the transaction is committed to recover data. Backup: Regular backup of the database can be used to quickly restore data. Database snapshot: You can create a read-only copy of the database and restore the data after the data is deleted accidentally. Use DELETE statement with caution: Check the conditions carefully to avoid accidentally deleting data. Use the WHERE clause: explicitly specify the data to be deleted. Use the test environment: Test before performing a DELETE operation.

How to use single threaded redis Apr 10, 2025 pm 07:12 PM

Redis uses a single threaded architecture to provide high performance, simplicity, and consistency. It utilizes I/O multiplexing, event loops, non-blocking I/O, and shared memory to improve concurrency, but with limitations of concurrency limitations, single point of failure, and unsuitable for write-intensive workloads.

MySQL: An Introduction to the World's Most Popular Database Apr 12, 2025 am 12:18 AM

MySQL is an open source relational database management system, mainly used to store and retrieve data quickly and reliably. Its working principle includes client requests, query resolution, execution of queries and return results. Examples of usage include creating tables, inserting and querying data, and advanced features such as JOIN operations. Common errors involve SQL syntax, data types, and permissions, and optimization suggestions include the use of indexes, optimized queries, and partitioning of tables.

See all articles