242
Chapter 11 Advanced MySQL
If you do this, you can then view the tables in this database by typing
show tables;
as usual.
The results you get will look something like this:
+ +
| Tables_in_mysql |
+ +
| columns_priv |
| db |
| func |
| host |
| tables_priv |
| user |
+ +
Each of these tables except for the func table stores information about privileges. (That
one stores user defined functions.) They are sometimes called grant tables.These tables
vary in their specific function but all serve the same general function, which is to deter-
mine what users are and are not allowed to do. Each of them contains two types of
fields: scope fields, which identify the user, host, and part of a database; and privilege
fields, which identify which actions can be performed by that user in that scope.
The
user table is used to decide whether a user can connect to the MySQL server
and whether she has any administrator privileges.The
db and host tables determine
which databases the user can access.The tables_priv table determines which tables
within a database a user can use, and the columns_priv table determines which columns
within tables they have access to.
The user Table
This table contains details of global user privileges. It determines whether a user is

allowed to connect to the MySQL server at all, and whether she has any global level
privileges; that is, privileges that apply to every database in the system.
We can see the structure of this table by issuing a describe user; statement.
The schema for the user table is shown in Table 11.1.
Tab le 11.1 Schema of the user Table in the mysql Database
Field Type
Host char(60)
User char(16)
Password char(16)
Select_priv enum(‘N’,’Y’)
Insert_priv enum(‘N’,’Y’)
14 525x ch11 1/24/03 3:37 PM Page 242
243
Understanding the Privilege System in Detail
Update_priv enum(‘N’,’Y’)
Delete_priv enum(‘N’,’Y’)
Create_priv enum(‘N’,’Y’)
Drop_priv enum(‘N’,’Y’)
Reload_priv enum(‘N’,’Y’)
Shutdown_priv enum(‘N’,’Y’)
Process_priv enum(‘N’,’Y’)
File_priv enum(‘N’,’Y’)
Grant_priv enum(‘N’,’Y’)
References_priv enum(‘N’,’Y’)
Index_priv enum(‘N’,’Y’)
Alter_priv enum(’N’,’Y’)
Each row in this table corresponds to a set of privileges for a user coming from a host
and logging in with the password Password.These are the scope fields for this table, as they
describe the scope of the other fields, called privilege fields.
The privileges listed in this table (and the others to follow) correspond to the privi-

leges we granted using
GRANT in Chapter 8. For example, Select_priv corresponds to the
privilege to run a SELECT command.
If a user has a particular privilege, the value in that column will be Y. Conversely, if a
user has not been granted that privilege, the value will be N.
All the privileges listed in the user table are global, that is, they apply to all the databas-
es in the system (including the mysql database). Administrators will therefore have some Ys
in there, but the majority of users should have all Ns. Normal users should have rights to
appropriate databases, not all tables.
The db and host Tables
Most of your average users’ privileges are stored in the tables db and host.
The
db table determines which users can access which databases from which
hosts.The privileges listed in this table apply to whichever database is named in a partic-
ular row.
The host table supplements the db table. If a user is to connect to a database from
multiple hosts, no host will be listed for that user in the db table. Instead, she will have a
set of entries in the host table, one to specify the privileges for each user-host combina-
tion.
The schemas of these two tables are shown in Tables 11.2 and 11.3, respectively.
Tab le 11.1 Continued
Field Type
14 525x ch11 1/24/03 3:37 PM Page 243
244
Chapter 11 Advanced MySQL
Tab le 11.2 Schema of the db Table in the mysql Database
Field Type
Host char(60)
Db char(64)
User char(16)

Select_priv enum(‘N’,’Y’)
Insert_priv enum(‘N’,’Y’)
Update_priv enum(‘N’,’Y’)
Delete_priv enum(‘N’,’Y’)
Create_priv enum(‘N’,’Y’)
Drop_priv enum(‘N’,’Y’)
Grant_priv enum(‘N’,’Y’)
References_priv enum(‘N’,’Y’)
Index_priv enum(‘N’,’Y’)
Alter_priv enum(’N’,’Y’)
Tab le 11.3 Schema of the host Table in the mysql Database
Field Type
Host char(60)
Db char(64)
Select_priv enum(‘N’,’Y’)
Insert_priv enum(‘N’,’Y’)
Update_priv enum(‘N’,’Y’)
Delete_priv enum(‘N’,’Y’)
Create_priv enum(‘N’,’Y’)
Drop_priv enum(‘N’,’Y’)
Grant_priv enum(‘N’,’Y’)
References_priv enum(‘N’,’Y’)
Index_priv enum(‘N’,’Y’)
Alter_priv enum (‘N’,’Y’)
The tables_priv and columns_priv Tables
These two tables are used to store table-level privileges and column-level privileges,
respectively.They work like the db table, except that they provide privileges for tables
within a specific database and columns within a specific table respectively.
14 525x ch11 1/24/03 3:37 PM Page 244
245

Understanding the Privilege System in Detail
These tables have a slightly different structure to the user, db,and host tables.The
schemas for the tables_priv table and the columns_priv table are shown in Tables 11.4
and 11.5, respectively.
Tab le 11.4 Schema of the tables_priv Table in the mysql Database
Field Type
Host char(60)
Db char(64)
User char(16)
Tab le_name char(60)
Grantor char(77)
Timestamp timestamp(14)
Tab le_priv set('Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop', 'Grant',
'References', 'Index', 'Alter')
Column_priv set ('Select', 'Insert', 'Update', 'References')
Tab le 11.5 Schema of the columns_priv Table in the mysql Database
Field Type
Host char(60)
Db char(64)
User char(16)
Tab le_name char(64)
Column_name char(64)
Timestamp timestamp(14)
Column_priv set('Select', 'Insert', 'Update', 'References')
The Grantor column in the tables_priv table stores the user who granted this privi-
lege to this user.The Timestamp column in both these tables stores the date and time
when the privilege was granted.
Access Control: How MySQL Uses the Grant Tables
MySQL uses the grant tables to determine what a user is allowed to do in a two-stage
process:

1. Connection verification. Here, MySQL checks whether you are allowed to con-
nect at all, based on information from the user table, as shown previously.This is
based on your username, hostname, and password. If a username is blank, it match-
es all users. Hostnames can be specified with a wildcard character (%).This can be
14 525x ch11 1/24/03 3:37 PM Page 245
246
Chapter 11 Advanced MySQL
used as the entire field—that is, % matches all hosts—or as part of a hostname, for
example, %.tangledweb.com.au matches all hosts ending in
.tangledweb.com.au. If the password field is blank, then no password is required.
It’s more secure to avoid having blank users, wildcards in hosts, and users without
passwords.
2. Request verification. Each time you enter a request, after you have established a
connection, MySQL checks whether you have the appropriate level of privileges
to perform that request.The system begins by checking your global privileges (in
the user table) and if they are not sufficient, checks the db and host tables. If
you still don’t have sufficient privileges, MySQL will check the tables_priv table,
and, if this is not enough, finally it will check the columns_priv table.
Updating Privileges: When Do Changes Take Effect?
The MySQL server automatically reads the grant tables when it is started, and when you
issue
GRANT and REVOKE statements.
However, now that we know where and how those privileges are stored, we can alter
them manually.When you update them manually, the MySQL server will not notice that
they have changed.
You need to point out to the server that a change has occurred, and there are three
ways you can do this.You can type
FLUSH PRIVILEGES;
at the MySQL prompt (you will need to be logged in as an administrator to do this).
This is the most commonly used way of updating the privileges.

Alternatively you can run either
mysqladmin flush-privileges
or
mysqladmin reload
from your operating system.
After this, global level privileges will be checked the next time a user connects; data-
base privileges will be checked when the next use statement is issued; and table and col-
umn level privileges will be checked on a user’s next request.
Making Your MySQL Database Secure
Security is important, especially when you begin connecting your MySQL database to
your Web site. In this section, we’ll look at the precautions you ought to take to protect
your database.
14 525x ch11 1/24/03 3:37 PM Page 246