MySQL – How to Create an Admin User Account

If you want to create an additional admin account for MySQL server, connect to the MySQL server with a MySQL client program and execute the following command:

GRANT ALL ON *.* TO 'admin'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

Change the word “admin” to whatever username you want to use for the admin account and change “password” to whatever password you want to use for that account.

The above SQL command creates an admin account that can only connect from the server which is running the MySQL database service. If you want to allow the admin account to log in from any IP address then replace “localhost” with “%”. The “%” acts as a wild card character.

GRANT ALL ON *.* TO 'admin'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION;

If you want to only allow the admin account to log in from a specific IP or range of IPs then use the wildcard character:

GRANT ALL ON *.* TO 'admin'@'192.168.1.%' IDENTIFIED BY 'password' WITH GRANT OPTION;

The above example allows the admin account to log in from any IP address that starts with 192.168.1.

MySQL logo

Basic SQL Injection Exploit with PHP

Here is an example of a basic login function which is taught in a lot of PHP tutorials. The purpose of this code is to prevent someone from viewing a web page unless they provide a valid username/password in a form. The username/password is stored in a MySQL database.

$username = $_POST["username"];
$password = $_POST["password"];$query = "SELECT * FROM users WHERE Username = '" . $username . "' AND Password = '" . $password . "'";
$result = mysql_query($query);
$validated = false;
while ($rs = mysql_fetch_array($result))
{ $validated = true; }

If a programmer does not do any input validation and uses the very basic username/password authentication example shown above, the following SQL code placed in the “password” field of a web application using code like this will usually give you access to the protected area:

foo' OR 'a'='a

The presence of this vulnerability in the code may allow a malicious
person to execute other SQL commands such as editing or deleting the
data in your database.

Shadow of hand over keybaord