The Mysql Access Privilege System - Oracle 5.0 Reference Manual

• Perl DBI: Use placeholders or the
• Ruby DBI: Use placeholders or the
• Java JDBC: Use a
Other programming interfaces might have similar capabilities.

6.2. The MySQL Access Privilege System

The primary function of the MySQL privilege system is to authenticate a user who connects from a
given host and to associate that user with privileges on a database such as SELECT, INSERT, UPDATE,
and DELETE. Additional functionality includes the ability to have anonymous users and to grant
privileges for MySQL-specific functions such as
There are some things that you cannot do with the MySQL privilege system:
• You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly
match a user and then refuse the connection.
• You cannot specify that a user has privileges to create or drop tables in a database but not to create
or drop the database itself.
• A password applies globally to an account. You cannot associate a password with a specific object
such as a database, table, or routine.
The user interface to the MySQL privilege system consists of SQL statements such as
GRANT, and REVOKE. See
Internally, the server stores privilege information in the grant tables of the
the database named mysql). The MySQL server reads the contents of these tables into memory when
it starts and bases access-control decisions on the in-memory copies of the grant tables.
The MySQL privilege system ensures that all users may perform only the operations permitted to them.
As a user, when you connect to a MySQL server, your identity is determined by the host from which
you connect and the user name you specify. When you issue requests after connecting, the system
grants privileges according to your identity and what you want to do.
MySQL considers both your host name and user name in identifying you because there is no reason
to assume that a given user name belongs to the same person on all hosts. For example, the user
who connects from
joe
connects from home.example.com. MySQL handles this by enabling you to distinguish users on
different hosts that happen to have the same name: You can grant one set of privileges for connections
by from office.example.com, and a different set of privileges for connections by
joe
home.example.com. To see what privileges a given account has, use the
For example:
SHOW GRANTS FOR 'joe'@'office.example.com';
SHOW GRANTS FOR 'joe'@'home.example.com';
MySQL access control involves two stages when you run a client program that connects to the server:
Stage 1: The server accepts or rejects the connection based on your identity and whether you can
verify your identity by supplying the correct password.
Stage 2: Assuming that you can connect, the server checks each statement you issue to determine
whether you have sufficient privileges to perform it. For example, if you try to select rows from a table
in a database or drop a table from the database, the server verifies that you have the
privilege for the table or the
For a more detailed description of what happens during each stage, see
Control, Stage 1: Connection
Verification".

The MySQL Access Privilege System

quote()
quote()
PreparedStatement
Section 13.7.1, "Account Management
office.example.com
[577] privilege for the database.
DROP
Verification", and
method.
method.
object and placeholders.
LOAD DATA INFILE
Statements".
need not be the same person as the user
Section 6.2.5, "Access Control, Stage 2: Request
574
and administrative operations.
CREATE
database (that is, in
mysql
joe
joe
statement.
SHOW GRANTS
SELECT
Section 6.2.4, "Access
USER,
who
from
[578]