空用户的危害-j9九游会登录

mysql中是允许用户名为 '' 的用户存在，本章节介绍数据库中存在这种空用户时的危害。

mysql中使用空用户时，它将可以匹配任何用户名。这一特性也会带来多种安全性、功能性危害。所以，在实际使用过程中应避免使用空用户。

安全性危害

当存在空用户时，连接时可以使用任意用户名进行登录。

如果空用户有密码，则使用任意用户名和空用户的密码即可登录数据库，并获得空用户所拥有的所有权限。示例：

#没有空用户时，使用非法用户名‘abcd’，连接失败 
mysql> select user,host from mysql.user; 
 ------------------ ----------- 
| user             | host      | 
 ------------------ ----------- 
| root             | %         | 
| mysql.infoschema | localhost | 
| mysql.session    | localhost | 
| mysql.sys        | localhost | 
 ------------------ ----------- 
mysql -uabcd -h127.0.0.1 -p3306 -ptest_1234 
mysql: [warning] using a password on the command line interface can be insecure. 
error 1045 (28000): access denied for user 'abcd'@'localhost' (using password: yes) 
# 创建空用户后，使用非法用户名‘abcd’，密码用空用户的密码，连接成功  
mysql> create user ''@'localhost' identified by 'test_1234'; 
mysql> select user,host from mysql.user; 
 ------------------ ----------- 
| user             | host      | 
 ------------------ ----------- 
| root             | %         | 
|                  | localhost | 
| mysql.infoschema | localhost | 
| mysql.session    | localhost | 
| mysql.sys        | localhost | 
 ------------------ -----------  
mysql -uabcd -h127.0.0.1 -p3306 -ptest_1234 
mysql: [warning] using a password on the command line interface can be insecure. 
welcome to the mysql monitor.  commands end with ; or \g. 
your mysql connection id is 37server version: 8.0.22-debug source distribution 
j9九游会登录 copyright (c) 2000, 2020, oracle and/or its affiliates. all rights reserved. 
oracle is a registered trademark of oracle corporation and/or its affiliates. 
other names may be trademarks of their respective owners. 
type 'help;' or '\h' for help. type '\c' to clear the current input statement.
mysql>

如果空用户没有密码，则使用任意用户名即可免密登录数据库，并获得空用户所拥有的所有权限。示例：

#存在无密码的空用户时，可以使用任意用户免密登录数据库。  
mysql> create user ''@'localhost'; 
query ok, 0 rows affected (8.87 sec) 
mysql> select user,host from mysql.user; 
 ------------------ ----------- 
| user             | host      | 
 ------------------ ----------- 
| root             | %         | 
|                  | localhost | 
| mysql.infoschema | localhost | 
| mysql.session    | localhost | 
| mysql.sys        | localhost | 
 ------------------ ----------- 
mysql -uabcd -h127.0.0.1 -p3306 
welcome to the mysql monitor.  commands end with ; or \g. 
your mysql connection id is 39server version: 8.0.22-debug source distribution 
j9九游会登录 copyright (c) 2000, 2020, oracle and/or its affiliates. 
all rights reserved. oracle is a registered trademark of oracle corporation and/or its affiliates. 
other names may be trademarks of their respective owners. 
type 'help;' or '\h' for help. type '\c' to clear the current input statement. 
mysql>  
#-----------------
mysql -usdhsjkdshk -h127.0.0.1 -p3306 
welcome to the mysql monitor.  commands end with ; or \g. 
your mysql connection id is 40server version: 8.0.22-debug source distribution 
j9九游会登录 copyright (c) 2000, 2020, oracle and/or its affiliates. all rights reserved. 
oracle is a registered trademark of oracle corporation and/or its affiliates. 
other names may be trademarks of their respective owners. 
type 'help;' or '\h' for help. type '\c' to clear the current input statement. 
mysql>

功能性危害

当存在空用户时，可能因为匹配出错，导致正常的用户名无法登录。

示例：存在空用户与root用户的host有重叠时，导致root用户无法使用密码登录，或者使用空用户的密码登录后无法进入root的权限。

mysql> create user ''@'localhost'; 
query ok, 0 rows affected (8.87 sec)  
mysql> select user,host from mysql.user; 
 ------------------ ----------- 
| user             | host      | 
 ------------------ ----------- 
| root             | %         | 
|                  | localhost | 
| mysql.infoschema | localhost | 
| mysql.session    | localhost | 
| mysql.sys        | localhost | 
 ------------------ ----------- 
# 用root的密码无法登录 
mysql -uroot -h127.0.0.1 -p3306 -ptest_root 
mysql: [warning] using a password on the command line interface can be insecure. 
error 1045 (28000): access denied for user 'root'@'localhost' (using password: yes)  
# 用空用户的密码(免密)登录后实际是空用户登录，没有root权限。 
mysql -uroot -h127.0.0.1 -p3306  
welcome to the mysql monitor.  commands end with ; or \g. 
your mysql connection id is 45server version: 8.0.22-debug source distribution 
j9九游会登录 copyright (c) 2000, 2020, oracle and/or its affiliates. all rights reserved. 
oracle is a registered trademark of oracle corporation and/or its affiliates. 
other names may be trademarks of their respective owners. 
type 'help;' or '\h' for help. type '\c' to clear the current input statement. 
mysql> select user,host from mysql.user; 
error 1142 (42000): select command denied to user ''@'localhost' for table 'user'
mysql>

父主题：

上一篇：自增主键达到上限，无法插入数据

下一篇：pt-osc工具连接rds for mysql主备实例卡住

意见反馈

文档内容是否对您有帮助？

提交成功！非常感谢您的反馈，我们会继续努力做到更好！您可在查看反馈及问题处理状态。

系统繁忙，请稍后重试

在使用文档中是否遇到以下问题

内容与产品页面不一致

内容不易理解

缺失示例代码

步骤不可操作

搜不到想要的内容

缺少最佳实践

意见反馈（选填）

0/500

请至少选择一项反馈信息并填写问题反馈

字符长度不能超过500

如您有其它疑问，您也可以通过华为云社区问答频道来与我们联系探讨

空用户的危害-j9九游会登录

相关文档

意见反馈

文档内容是否对您有帮助？