I've seen this done many times over the years and it always ends up badly. The good thing about a web service is once it's implemented server side, it doesn't matter what language the client application is written in.Īs others have said, using MySQL user information (limited privileges or not) embedded within an application is a bad idea. Resolution: There a few options, but a good one would be to write a web service that only exposes the specific functionality / results you need via HTTPS. Assuming this is case I'm surprised the host allows any external IP response from the MySQL server, but the DB and WEB servers might be the same machine. Your error is likely the result of your MySQL user only being allowed access from specific IP addresses (the web server) and not '%' (wildcard any IP address). PCI compliance is increasingly dictating this direction. The overall problem is fairly straight forward.Īnswer: Many hosts won't allow remote MySQL connections from any port (encrypted or not).
At the same time, don't over complicate things. While your initial attempt is the easiest method, it's also the worst. Thread examples of people having their MySQL brute force attempted: As long as you're taking these other precautions it will improve your security much more than what most people do.Ī Study of Passwords and Methods Used in Brute-Force SSH Attacks The MD5 hash algorithm is a common used for passwords, but it's not considered as great as it use to be.
That's partly because of how the password may be stored on the server (usually as a hash). Increasing the length and complexity of the user name and password definitely help, though after so many characters it doesn't really do anything more. It's why people have to defend themselves and why it's easy to find information about these attacks. It may seem unlikely, but I promise they happen. They get programmed to run these scripts, capable of trying millions of iterations a day. If you've heard of bot nets, that's part of what they do. They wouldn't need to know the DB name, their scripts scan all IP addresses and looks for open ports that will tell them services like MySQL are being run on the server. Brute force attacks are used all the time.