<a href="https://colab.research.google.com/github/CapitalData/OpenSourceDataScienceAICore/blob/main/Session_5_SQL_Security_And_Best_Practices.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

###**Section 5: SQL Security and Best Practices**



----
#### **Introduction**

- **Till our last session, we focused on how to write powerful and optimized SQL ,covering everything from basic queries, advanced joins, window functions, CTEs, optimization techniques, and even stored procedures.**
- **We learned how to manipulate and retrieve data efficiently, design scalable queries.**
- **Now that we know how to access and work with data, it’s time to take it a step further and learn how to protect it.**.
-  **That's why now we will learn about  how to build databases and queries that are not only powerful but also safe, secure, and future-proof**.


---
#### **Learning Objective**

- Understand why SQL security is critical
- SQL Injection and How to Prevent It
- User Roles and Permissions Management
- Encryption and Data Masking
- Backup and Recovery Strategies

#### **Why SQL Security is Critical?**

1. Data is Extremely Valuable
  - Customer information, payment details, medical records — all live inside databases.
  - If a database is hacked, sensitive data can be exposed, stolen, or sold.
2. SQL Databases Are a Top Target
  - Attackers often target SQL databases using techniques like SQL Injection because databases usually contain the core business data.
  - A single vulnerable query can expose thousands or millions of records.
3. Legal and Compliance Risks
  - Laws like GDPR, HIPAA, and CCPA require businesses to protect customer data.
  - Data breaches can lead to massive fines, lawsuits, and shutdowns.
4. Business Reputation Loss
  - Companies that leak customer data lose public trust.
  - A damaged reputation can be much harder (and more expensive) to rebuild than paying the fine.
5. Preventive Security is Easier and Cheaper
  - Building secure databases and writing secure queries is far easier and cheaper than handling a data breach aftermath.
  - Proactive security measures protect not only the system but also the company's future.



#### **Common Threats to SQL Security**

- **SQL Injection**
  - Malicious input used to manipulate SQL queries
- **Overprivileged Users**
  - Users with more access than needed
- **Unencrypted Data**
  - Plain-text storage or insecure transmission
- **Weak Authentication**
  - Easy-to-guess or reused credentials
- **Lack of Auditing**
  - No trace of who accessed or changed data
Unsecured Backups	Backup files stored without protection

####**Best Practices for SQL Security**

- **Query Writing**
  - Use parameterized queries or prepared statements
- **User Access**
  - Apply least privilege principle (only needed permissions)
- **Passwords**
  - Enforce strong, unique passwords
- **Encryption**
  - Use AES encryption or TLS for sensitive data
- **Auditing**
  - Enable logs and audit trails
- **Backups**
  - Store encrypted, tested backups securely
- **Roles**
  - Create role-based access controls (RBAC)
- **Environments**
  - Don’t use real data in test/dev environments

#### **1. Parameterized Query Writing**

**Install MySQL-Python Connector Package**

In [None]:
#Installing mysql python connector package
!pip install mysql-connector-python

Collecting mysql-connector-python
  Downloading mysql_connector_python-9.3.0-cp311-cp311-manylinux_2_28_x86_64.whl.metadata (7.2 kB)
Downloading mysql_connector_python-9.3.0-cp311-cp311-manylinux_2_28_x86_64.whl (33.9 MB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m33.9/33.9 MB[0m [31m19.9 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: mysql-connector-python
Successfully installed mysql-connector-python-9.3.0


In [None]:
!sudo apt-get clean
!sudo apt-get purge mysql*
!sudo apt-get update
!sudo apt-get install -f
!sudo apt-get install mysql-server
!sudo apt-get dist-upgrade

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'mysql-testsuite' for glob 'mysql*'
Note, selecting 'mysql-server-5.5' for glob 'mysql*'
Note, selecting 'mysql-server-5.6' for glob 'mysql*'
Note, selecting 'mysql-server-5.7' for glob 'mysql*'
Note, selecting 'mysql-server-8.0' for glob 'mysql*'
Note, selecting 'mysql-client-5.5' for glob 'mysql*'
Note, selecting 'mysql-client-5.6' for glob 'mysql*'
Note, selecting 'mysql-client-5.7' for glob 'mysql*'
Note, selecting 'mysql-client-8.0' for glob 'mysql*'
Note, selecting 'mysql-common' for glob 'mysql*'
Note, selecting 'mysqltcl' for glob 'mysql*'
Note, selecting 'mysql-testsuite-5.5' for glob 'mysql*'
Note, selecting 'mysql-testsuite-5.6' for glob 'mysql*'
Note, selecting 'mysql-testsuite-5.7' for glob 'mysql*'
Note, selecting 'mysql-testsuite-8.0' for glob 'mysql*'
Note, selecting 'mysql-client' for glob 'mysql*'
Note, selecting 'mysql-router' for glob 'mysql*'
Note, selec

**Start MySQL Server**

In [None]:
#Start mysql server
!service mysql start

 * Starting MySQL database server mysqld
   ...done.


In [None]:
# Intended to change the MySQL root user's authentication method and set the # #password to 'root'
!mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH 'mysql_native_password' BY 'root';FLUSH PRIVILEGES;"

**Create Connectin between MySQL server And python**

In [None]:
import mysql.connector

# Create a connection to the MySQL server
conn = mysql.connector.connect(user='root', password='root', host='localhost')

# Create a cursor to interact with the MySQL server
cursor = conn.cursor()

In [None]:
cursor.execute("SHOW DATABASES")
databases = cursor.fetchall()
for database in databases:
    print(database)

('information_schema',)
('mysql',)
('performance_schema',)
('secure_app',)
('sys',)


**Create databse "mydb"**

In [None]:
cursor.execute("CREATE DATABASE IF NOT EXISTS mydb")

In [None]:
cursor.execute("USE mydb")

In [None]:
connection = mysql.connector.connect(user='root', password='root', host='localhost', database='mydb')

In [None]:
cursor = connection.cursor()

In [None]:
# Create Table and Insert Data
cursor.execute("CREATE TABLE IF NOT EXISTS employees (id INT AUTO_INCREMENT PRIMARY KEY, name VARCHAR(255), salary DECIMAL(10, 2))")

In [None]:
#Insert data with Placeholder
cursor.execute("INSERT INTO employees (name, salary) VALUES (%s, %s)", ("John Doe", 50000.00))

In [None]:
# Insert multiple data
data = [
    ("Jane Smith", 60000.00),
    ("Bob Johnson", 55000.00),
    ("Alice Brown", 52000.00)
]
cursor.executemany("INSERT INTO employees (name, salary) VALUES (%s, %s)", data)

In [None]:
#Prepare the SQL Query
cursor.execute("SELECT * FROM employees")
print(f"{'Name':<20}{'Salary':<20}")
print('-' * 40)
for row in cursor.fetchall():
    print(f"{row[1]:<20}{row[2]:<20}")

Name                Salary              
----------------------------------------
John Doe            50000.00            
Jane Smith          60000.00            
Bob Johnson         55000.00            
Alice Brown         52000.00            


**Prepare the SQL Query with Placeholders**

In [None]:
# Prepare the SQL Query with Placeholders
query='''
  SELECT * FROM employees WHERE salary > %s;
'''
# Values to be inserted (user input or dynamic)
values = (55000,)

cursor.execute(query,values)

In [None]:
print(f"{'Name':<20}{'Salary':<20}")
print('-' * 40)
for row in cursor.fetchall():
    print(f"{row[1]:<20}{row[2]:<20}")

Name                Salary              
----------------------------------------
Jane Smith          60000.00            


**Get input from user and insert data into table employees**

In [None]:
# 2. Get input from user and insert data into table employees
name = input("Enter employee name: ")
salary = float(input("Enter employee salary: "))
query = "INSERT INTO employees (name, salary) VALUES (%s, %s)"
values = (name, salary)
cursor.execute(query, values)
connection.commit()
print("Data inserted successfully!")

Enter employee name: Tina Smith
Enter employee salary: 65000
Data inserted successfully!


In [None]:
cursor.execute("SELECT * FROM employees")
print(f"{'Name':<20}{'Salary':<20}")
print('-' * 40)
for row in cursor.fetchall():
    print(f"{row[1]:<20}{row[2]:<20}")

Name                Salary              
----------------------------------------
Jane Smith          60000.00            
Bob Johnson         55000.00            
Alice Brown         52000.00            
Johnson Fay         45000.00            
Tina Smith          65000.00            


#### **2. User Access in SQL (User Roles & Permissions)**

- Prevents unauthorized data access or modification

- Supports least-privilege principle (users get only what they need)

- Helps comply with data privacy laws (GDPR, HIPAA)

- Protects critical operations from human error or malicious actors



**Basic Concepts**
- **User**	A login identity in the database
- **Role**	A collection of permissions assigned to users
- **Privileges**	Specific rights like SELECT, INSERT, UPDATE, DELETE
- **GRANT/REVOKE**	SQL commands to assign or remove permissions

#### **Managing User Access in MySQL**

**1. Create a User**

```
CREATE USER 'report_user'@'localhost' IDENTIFIED BY 'secure_password';
```
-
report_user: the username

- @'localhost': restricts login to only from the local machine

- IDENTIFIED BY: sets the user's password (hashed and stored internally)

In [None]:
import getpass

password = getpass.getpass("Enter password:") # Call the getpass function within the getpass module
print(password) # Print the password (for demonstration purposes, avoid printing sensitive information in real applications)


Enter password:··········
abcd123


In [None]:
#Using Placeholders: Replace %password with %s, which acts as a placeholder for a value to be supplied later.
# Supplying Values: Pass the password variable as a tuple (password,) as the second argument to cursor.execute(). This ensures the value is properly escaped and inserted into the query, preventing SQL injection vulnerabilities and syntax errors.
cursor.execute("CREATE USER 'report_user'@'localhost' IDENTIFIED BY %s", (password,))

In [None]:
# View users
cursor.execute("SELECT User, Host FROM mysql.user")

In [None]:
for x in cursor:
  print(x)

('debian-sys-maint', 'localhost')
('mysql.infoschema', 'localhost')
('mysql.session', 'localhost')
('mysql.sys', 'localhost')
('report_user', 'localhost')
('root', 'localhost')


**2. Important Next Step: Grant Permissions**

**Types of Permissions in MySQL**
  
  **1.  Data Privileges (Table-Level)**

     - SELECT	Read data from tables
     - INSERT	Add new rows
     - UPDATE	Modify existing rows
     - DELETE	Remove rows
  **2. Structure Privileges (Database/Table-Level)**
     
     - CREATE	Create new tables/databases
     - DROP	Delete tables/databases
     - ALTER	Modify tables (e.g., add columns)
     - INDEX	Create/remove indexes   
   **3. Administrative Privileges**

     - ALL PRIVILEGES	Grant all permissions
     - GRANT OPTION	Allow user to grant permissions to others
     - CREATE USER	Create new users
     - RELOAD	Flush changes (caches/logs)
     - PROCESS	View currently running queries
  

#### **Granting,Revoking and Checking Permissions**

**1. Granting Permissions**

- Syntax:
 ```
 GRANT privilege_type
 ON database_name.table_name
 TO 'username'@'host';

 ```
- Grant ALL privileges
```
GRANT ALL PRIVILEGES
ON sales_db.*
TO 'admin_user'@'localhost';
```

**2. Revoking Permissions**
- Syntax:
```
 REVOKE  privilege_type
 ON database_name.table_name
 TO 'username'@'host';
```



**3. Checking Permissions**
- Show Current Privileges:
```
 SHOW GRANTS FOR 'user'@'localhost';
 ```


**4. Apply changes(Optional)**
```
 FLUSH PRIVILEGES;
```
- It tells MySQL to **reload the privilege tables** from the mysql system database.
- Not always necessary in modern MySQL, but safe to include.
- Without FLUSH PRIVILEGES, the change won’t take effect until MySQL is restarted.
- Avoid directly modifying system tables.
- Use GRANT, REVOKE, or ALTER USER instead—they apply changes instantly without needing FLUSH PRIVILEGES

**Let's Try**

In [None]:
# Grant Permissions
query = "GRANT SELECT ON mydb.employees TO 'report_user'@'localhost'"
cursor.execute(query)

In [None]:
# Revoking permissions
query='''
 REVOKE INSERT, UPDATE
 ON mydb.employees
 FROM 'report_user'@'localhost';
 '''
cursor.execute(query)


In [None]:
#Check permissons
cursor.execute("SHOW GRANTS FOR 'report_user'@'localhost'")

for x in cursor:
  print(x)

('GRANT USAGE ON *.* TO `report_user`@`localhost`',)
('GRANT SELECT ON `mydb`.`employees` TO `report_user`@`localhost`',)


**Use 'resport_user'@'localhost'**

In [None]:
# Use 'report_user' @'localhost
cursor.close()
connection.close()
# Create connection with user report_user
connection = mysql.connector.connect(user='report_user', password=password, host='localhost', database='mydb')

In [None]:
# Create cursor
cursor = connection.cursor()
#Execute query to access employees table root user
cursor.execute("SELECT * FROM employees")
for x in cursor:
  print(x)

(1, 'John Doe', Decimal('50000.00'))
(2, 'Jane Smith', Decimal('60000.00'))
(3, 'Bob Johnson', Decimal('55000.00'))
(4, 'Alice Brown', Decimal('52000.00'))


In [None]:
# Try to insert data to employee table
cursor.execute("INSERT INTO employees (name, salary) VALUES (%s, %s)", ("John Doe", 50000.00))


ProgrammingError: 1142 (42000): INSERT command denied to user 'report_user'@'localhost' for table 'employees'

It gives programming error 1142(42000): INSERT command denied to user 'report_user'@'localhost' for table 'employees' due to revoke permission.


In [None]:
#close cursor and connection
cursor.close()
connection.close()

**3. Password Best Practices**
-  Use strong passwords: mix upper/lowercase, numbers, symbols

-  Use the mysql_native_password plugin when compatibility is needed

**How to use mysql_native_password plugin**
- mysql_native_password is an authentication plugin in MySQL that uses the older SHA1-based password hashing method.
- It was the default in MySQL 5.x, but in MySQL 8.0, the default is now caching_sha2_password

**When to Use mysql_native_password**
- You need compatibility with older MySQL clients/libraries (especially in older Python, PHP, Java apps).
- You're encountering login errors like:
```
Authentication plugin 'caching_sha2_password' cannot be loaded
```
- How to use it?
```
 CREATE USER 'username'@'localhost'
 IDENTIFIED WITH mysql_native_password
 BY 'StrongPassword123!';
```
- Note:**mysql_native_password is less secure than caching_sha2_password and should be used only for backward compatibility.**




**caching_sha2_password**
-   Provides stronger security compared to the older mysql_native_password, using SHA-256 hashing and optional RSA encryption for login credentials.
```
 CREATE USER 'username'@'localhost'
 IDENTIFIED WITH caching_sha2_password
 BY 'StrongPass123!';
```

**Check a User’s Auth Plugin**

In [None]:
query='''
 SELECT user, host, plugin FROM mysql.user;
'''
cursor.execute(query)
for x in cursor:
  print(x)

('debian-sys-maint', 'localhost', 'caching_sha2_password')
('mysql.infoschema', 'localhost', 'caching_sha2_password')
('mysql.session', 'localhost', 'caching_sha2_password')
('mysql.sys', 'localhost', 'caching_sha2_password')
('report_user', 'localhost', 'caching_sha2_password')
('root', 'localhost', 'mysql_native_password')


In [None]:
#changing mysql_native_password to caching_sh2_password
query = """
ALTER USER 'root'@'localhost'
IDENTIFIED WITH caching_sha2_password
BY 'NewPass456!';
"""
cursor.execute(query)

for x in cursor:
  print(x)


In [None]:
# query to get user ,host and plugin details
query='''
 SELECT user, host, plugin FROM mysql.user;
'''
cursor.execute(query)
for x in cursor:
  print(x)


('debian-sys-maint', 'localhost', 'caching_sha2_password')
('mysql.infoschema', 'localhost', 'caching_sha2_password')
('mysql.session', 'localhost', 'caching_sha2_password')
('mysql.sys', 'localhost', 'caching_sha2_password')
('report_user', 'localhost', 'caching_sha2_password')
('root', 'localhost', 'caching_sha2_password')


####**What is SQL Data Encryption and How it Works?**

**Encryption in SQL databases, especially MySQL, helps protect data at rest and data in transit, ensuring sensitive information like passwords, credit card details, or personal identifiers remains confidential — even if the database or file system is compromised.**

- **SQL data encryptio**n is the process of converting sensitive database information into an unreadable format using cryptographic algorithms.
- Only authorized persons with the decryption key will be able to access the actual data.
- This ensures the security of data at rest and during transmission.
- Encrypting and decrypting data is called cryptography.
- SQL can encrypt data in different states
  1. Data-at-Rest
  2. Data-in-Transit



**Techniques for SQL Data Encryption**
1. Transparent Data Encryption(TDE)
2. Column-level Encryption

**1. Data at Rest**
 - Encrypts data stored on disk — e.g., tablespace files, logs.
 - **Tablespace Encryption**: Encrypts .ibd files storing InnoDB tables
 - **Log Encryption**:	Redo, undo, and binary log encryption
 - **Keyring Plugin** :	Stores encryption keys securely

**2. Data in Transit**
- Encrypts data moving between clients and the server via SSL/TLS.
- SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt data sent over a network.
-  In MySQL, SSL/TLS protects communication between clients and the database server, preventing data interception, tampering, and impersonation.

####**Transparent Data Encryption**

- Transparent Data Encryption (TDE) is a method of encrypting an entire database or specific tablespaces at rest—that is, the physical files on disk—without requiring changes to application code.
- Automatically encrypts data before it's written to disk and decrypts it when read into memory, making the process transparent to applications and users.
- Components in MySQL TDE:
  - Tablespace encryption
  - Keyring plugin



**Tablespace Encryption (InnoDB)**
- Tablespace encryption encrypts the actual physical storage files (like .ibd files in InnoDB),
- Helping protect sensitive data from unauthorized access in case of disk theft or breach.
- This is native to MySQL (from version 5.7+) and uses AES encryption.
- In MySQL, a tablespace is the storage area where InnoDB stores tables and indexes.
- Encrypting it means the data on disk is unreadable without the proper keyring.

**What is keyring?**
-  The Keyring plugin is a built-in mechanism in MySQL that securely stores and manages encryption keys used for data-at-rest encryption, such as tablespace, undo/redo logs, and binary logs.
- Keep keys safe and separate from the encrypted data
- Provide automatic key retrieval during DB startup
- Enable AES-256 encryption support



####**Steps to Enable Tablespace Encryption**


**1. Enable the Keyring Plugin**
- Edit your my.cnf or my.ini:
```
[mysqld]
early-plugin-load=keyring_file.so
keyring_file_data=/var/lib/mysql-keyring/keyring
```

**2. Restart MySQL**
```
sudo systemctl restart mysql
```

**3. Enable Encryption by Default (Optional)**
```
[mysqld]
innodb_encrypt_tables=ON
innodb_encrypt_log=ON
innodb_encrypt_temporary_tables=ON
```

**4. Create an Encrypted Table**
```
CREATE TABLE employees (
    id INT,
    ssn VARCHAR(11)
) ENCRYPTION='Y';

```
- The ENCRYPTION='Y' directive enables encryption for the table's tablespace.

**5. Verify Encryption**
```
SELECT TABLE_NAME, CREATE_OPTIONS
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_SCHEMA = 'your_db';
```





####**Log Encryption**

- Log encryption in MySQL refers to securing the content of **log files**—like **general logs, slow query logs, and binary logs**—by encrypting them to protect sensitive information and comply with data security regulations.
- Prevent unauthorized access to sensitive query data, especially in logs containing:
  - User queries
  - Passwords (if not properly parameterized)
  - Personally identifiable information (PII)
- Meet compliance standards like GDPR, HIPAA, or PCI-DSS
- **General Log**	Records every SQL statement
  ```
  -- General log Configuration
   [mysqld]
  general_log = ON
  general_log_file = /var/log/mysql/general.log
 ```
- **Slow Query Log**	Logs queries that exceed execution time
 ```
  -- Slow query log configuration
  [mysqld]
  slow_query_log = 1
  slow_query_log_file = /var/log/mysql/slow.log
  long_query_time = 2   # Log queries taking more than 2 seconds
  log_queries_not_using_indexes = 1
  ```

- **Binary Log**	Tracks changes to data (used for replication and recovery)
 ```
  -- Binary Log Configuration
  [mysqld]
  master_verify_checksum = ON
  binlog_checksum = CRC32
  encrypt_binlog = ON

 ```
- **Error Log**	Contains server error messages
 ```
  -- Error log configuration
  [mysqld]
  log_error = /encrypted/mysql/error.log
```
- Secure access to log using permissions.
```
chmod 600 /var/log/mysql/general.log
chown mysql:mysql /var/log/mysql/general.log
```
```
chmod 600 /var/log/mysql/slow.log
chown mysql:mysql /var/log/mysql/slow.log
```
```
 chmod 600 /var/log/mysql/error.log
 chown mysql:mysql /var/log/mysql/error.log
```

#### **Column Level Encryption**

- **Column-level encryption encrypts specific sensitive fields**
- Like passwords, credit cards, or SSNs in a table, offering fine-grained control over what data is encrypted — rather than encrypting the entire table or database.
- **Fine-grained control**	Encrypt only sensitive columns (e.g., SSN)
- **Better performance**	Less overhead than full table encryption
- **Flexible key management**	Can use different keys per column or row
- **Compliance**	Helps with PCI-DSS, HIPAA, GDPR, etc.
- PCI-DSS, HIPAA, and GDPR — three major regulations that influence how data (especially sensitive data) must be stored, accessed, and protected.

**Steps for Column-Level Encryption**

**1. Choose the Encryption Method**
- Use MySQL’s built-in AES_ENCRYPT() and AES_DECRYPT() functions which are
used for symmetric encryption and decryption of sensitive data.
- They use the AES (Advanced Encryption Standard) algorithm.

**2. Prepare the Database Table**
- Define the encrypted column as VARBINARY, not VARCHAR, since encrypted data is binary.
```
CREATE TABLE users (
    id INT PRIMARY KEY,
    name VARCHAR(100),
    ssn VARBINARY(255)
);
```

**3. Set the Encryption Key Securely**
- Always avoid hardcoding the key in queries or application code.
```
SET @key_str = 'your_secret_key';
```
- We can store this key:
 - In a secure environment variable
 - In a secrets manager (AWS Secrets Manager, Vault, etc.)
 - In a separate secured config file



**4. Insert Encrypted Data**
- Use AES_ENCRYPT() when inserting sensitive data.
```
INSERT INTO users (id, name, ssn)
VALUES (1, 'Alice', AES_ENCRYPT('123-45-6789', @key_str));
```


**5. Query and Decrypt Data**
- Use AES_DECRYPT() to view sensitive data.
```
SELECT id, name, AES_DECRYPT(ssn, @key_str) AS ssn
FROM users;
```



**6. Secure Access to Key**
- Ensure that only privileged users or apps have access to the encryption key.



**Demo: AES Encryption/Decryption in Python + MySQL**

**1. Create Database demo_db and Create table 'users' in it.**

In [None]:
query='''
 CREATE DATABASE IF NOT EXISTS demo_db;
 USE demo_db;

 CREATE TABLE IF NOT EXISTS users (
    id INT PRIMARY KEY,
    name VARCHAR(100),
    ssn VARBINARY(255)
);
'''
cursor.execute(query)


In [None]:
#close cursor and connection
cursor.close()
connection.close()

In [None]:
import mysql.connector
#Create connection and cursor using database 'demo_db'(Note: easy to use)
connection = mysql.connector.connect(user='root', password='root', host='localhost',database='demo_db')

In [None]:
cursor = connection.cursor()

In [None]:
cursor.execute("SHOW DATABASES")
for x in cursor:
  print(x)

('demo_db',)
('information_schema',)
('mysql',)
('performance_schema',)
('sys',)


**2. Set encryption key**

In [None]:
#set encryption key
encryption_key = "securekey123"
cursor.execute("SET @key := %s", (encryption_key,))

**3. Insert encrypted data**


In [None]:
#Insert encrypted data
cursor.execute("""
    INSERT INTO users (id, name, ssn)
    VALUES (%s, %s, AES_ENCRYPT(%s, @key))
""", (3, "DAN", "123-47-3345"))


**4.  Fetch and decrypt data**

In [None]:
cursor.execute('''
  SELECT id, name, CAST(AES_DECRYPT(ssn, @key) AS CHAR) AS decrypted_ssn
  FROM users;''')
for row in cursor.fetchall():
    print("ID:", row[0], "| Name:", row[1], "| SSN:", row[2])

ID: 1 | Name: Alice | SSN: 123-45-6789
ID: 2 | Name: BOB | SSN: 123-45-3345
ID: 3 | Name: DAN | SSN: 123-47-3345


#### **Auditing**

- The process of tracking and recording database activity to ensure data security, compliance, and accountability.
- Detects suspicious behavior, unauthorized access, or policy violations.

**Types of SQL Auditing**
1. Login Auditing
  - Tracks login attempts (success/failure).
2. Query Auditing
  - Logs SELECT, INSERT, UPDATE, DELETE operations.
3. Privilege Auditing
  - Monitors GRANT/REVOKE and role assignments.
4. Schema Auditing
  -	Logs DDL changes like CREATE, ALTER, DROP.
5. Data Access Auditing
  - Captures which data was accessed, and by whom.

####**Auditing Demo**

In [None]:
query='''
 SET global general_log = 1;
 SET global log_output = 'TABLE';
 SELECT * FROM mysql.general_log;
 '''
cursor.execute(query)
for x in cursor:
  print(x)


(datetime.datetime(2025, 5, 2, 15, 40, 26, 638675), 'root[root] @ localhost [127.0.0.1]', 14, 1, 'Query', b'SELECT * FROM mysql.general_log')
(datetime.datetime(2025, 5, 2, 15, 40, 29, 801235), 'root[root] @ localhost [127.0.0.1]', 14, 1, 'Query', b'SET global general_log = 1;')
(datetime.datetime(2025, 5, 2, 15, 40, 29, 801443), 'root[root] @ localhost [127.0.0.1]', 14, 1, 'Query', b"SET global log_output = 'TABLE';")
(datetime.datetime(2025, 5, 2, 15, 40, 29, 801579), 'root[root] @ localhost [127.0.0.1]', 14, 1, 'Query', b'SELECT * FROM mysql.general_log')
(datetime.datetime(2025, 5, 2, 15, 40, 30, 436570), 'root[root] @ localhost [127.0.0.1]', 14, 1, 'Query', b'SET global general_log = 1;')
(datetime.datetime(2025, 5, 2, 15, 40, 30, 436784), 'root[root] @ localhost [127.0.0.1]', 14, 1, 'Query', b"SET global log_output = 'TABLE';")
(datetime.datetime(2025, 5, 2, 15, 40, 30, 436956), 'root[root] @ localhost [127.0.0.1]', 14, 1, 'Query', b'SELECT * FROM mysql.general_log')
(datetime.da

In [None]:
import mysql.connector
from mysql.connector import Error
from datetime import datetime

def audit_login(username, status, host='localhost'):
    try:
        conn = mysql.connector.connect(
            host='localhost',
            user='root',
            password='root',   # Admin credentials to insert audit record
            database='demo_db'
        )
        cursor = conn.cursor()
        query = """
        INSERT INTO login_audit (username, login_time, status, host_info)
        VALUES (%s, %s, %s, %s)
        """
        cursor.execute(query, (username, datetime.now(), status, host))
        conn.commit()
    except Exception as e:
        print("Audit failed:", e)
    finally:
        if conn.is_connected():
            cursor.close()
            conn.close()

def try_login(user, passwd):
    try:
        test_conn = mysql.connector.connect(
            host='localhost',
            user=user,
            password=passwd
        )
        print(f"[+] Login successful for {user}")
        audit_login(user, 'SUCCESS')
    except Error as e:
        print(f"[-] Login failed for {user}")
        audit_login(user, 'FAILURE')



In [None]:
query='''
    CREATE TABLE login_audit (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(100),
    login_time DATETIME,
    status VARCHAR(20),     -- 'SUCCESS' or 'FAILURE'
    host_info VARCHAR(100)
 );
'''
cursor.execute(query)

In [None]:
# query all user
query='''
 SELECT user, host, plugin FROM mysql.user;
'''
cursor.execute(query)
for x in cursor:
  print(x)

('debian-sys-maint', 'localhost', 'caching_sha2_password')
('mysql.infoschema', 'localhost', 'caching_sha2_password')
('mysql.session', 'localhost', 'caching_sha2_password')
('mysql.sys', 'localhost', 'caching_sha2_password')
('root', 'localhost', 'mysql_native_password')


In [None]:
cursor.close()
connection.close()

In [None]:
audit_login('root', 'root')

In [None]:
# Example attempts
try_login('root', 'wrong_password')
try_login('report_user', '')
try_login('root', 'root')


[-] Login failed for root
[-] Login failed for report_user
[+] Login successful for root


**Backups**
- Backing up your database is essential to protect against data loss due to accidents, corruption, system failure, or cyberattacks.
- Types of Backups:
  1. Logical Backup
    - Backs up data using SQL statements (e.g., mysqldump)
  2. Physical Backup
    - Copies database files directly from disk (e.g., mysqlhotcopy, file copy)
  3. Incremental
    - Only backs up changes since the last backup
  4. Binary Log Backup
    - Uses the binary log to capture data changes between full backups.

**Tools for MySQl Backups**
1. mysqldump (Logical)
2. mysqlpump (Parallel version of mysqldump)
3. MySQL Enterprise Backup (for hot, incremental, and encrypted backups)
4. Percona XtraBackup (Free & powerful tool for physical backups)




**Automating Backups with Python**

In [None]:
import os
import datetime

def backup_db(user, password, db_name):
    now = datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S")
    file_name = f"{db_name}_backup_{now}.sql"
    cmd = f"mysqldump -u {user} -p{password} {db_name} > {file_name}"
    os.system(cmd)
    print(f"[+] Backup saved as: {file_name}")

backup_db('root', 'root', 'demo_db')


[+] Backup saved as: demo_db_backup_2025-05-02_18-09-36.sql


####**Roles And Environment**

- To secure data effectively in a SQL or database-driven environment, it’s important to define clear roles and implement proper security practices across different environments (dev, test, production).



#### **User Roles & Responsibilities**
- **DBA (Admin)**
  - Full access; manages users, roles, backups, auditing, encryption, patching
- **Developer**
  - Can read/write schemas and data (in dev/test); no access to production data
- **Data Analyst**
  - Read-only access to curated, approved datasets
- **Application**
  - Limited access (only the tables/procedures needed);
  - uses least privilege model
- **Auditor**
  - Read-only access to logs, changes, and permission reports

####**Environment-Specific Practices**

- **Development**
  - Use anonymized or fake data.
  - No access to real PII or sensitive data.
- **Testing**
  - Test access controls, edge cases.
  - Can mirror structure of production, not the data.
- **Production**
  - Full security controls: encryption, access audits, limited access via roles

### **Lab**
- Understand, identify, and mitigate SQL security issues like SQL Injection, and implement best practices such as role-based access, password encryption, and least privilege.

**Lab Set up**
- Database: MySQL
- Tables: users, employees
- Tools: MySQL Workbench or CLI, Python with mysql-connector-python

**Step 1: Create a Sample Users Table**
```
CREATE DATABASE secure_app;
USE secure_app;

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50),
    password VARCHAR(100)
);

INSERT INTO users (username, password) VALUES ('admin', 'admin123'), ('user1', 'userpass');
```



In [None]:
conn=mysql.connector.connect(user='root', password='root', host='localhost')
cursor=conn.cursor()

In [None]:
query='''
DROP DATABASE IF EXISTS secure_app;
CREATE DATABASE secure_app;
USE secure_app;

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50),
    password VARCHAR(100)
);

INSERT INTO users (username, password) VALUES ('admin', 'admin123'), ('user1', 'userpass');
'''
cursor.execute(query)

In [None]:
cursor.execute("SELECT * FROM users")
for x in cursor:
  print(x)

(1, 'admin', 'admin123')
(2, 'user1', 'userpass')


In [None]:
#close cursor and connection
cursor.close()
conn.close()

**Step 2:Demonstrate SQL Injection (Unsafe Login)**

In [None]:
conn=mysql.connector.connect(user='root', password='root', host='localhost', database='secure_app')
cursor=conn.cursor()

In [None]:
# DO NOT USE IN PRODUCTION
username = input("Enter username: ")
password = getpass.getpass("Enter password:")  # Use getpass to hide password input

query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
cursor.execute(query)


Enter username: admin'--
Enter password:··········


ProgrammingError: 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'acd123'' at line 1

**The error "ProgrammingError: 1064 (42000):**
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'asd123'' at line 1" indicates a syntax error in the SQL query being executed.
- This is likely due to **SQL injection**. The user input for the username variable contains the characters '-- which comments out the rest of the query, effectively bypassing the password check. This allows the attacker to potentially gain unauthorized access to the database.
- Specifically, the crafted username value ("admin'--") when inserted into the query leads to a malformed SQL statement.
- The single quotes intended to delimit the username and password values in the query get disrupted by

**Step 3: Prevent SQL Injection with Parameterized Query**

In [None]:
import getpass
username = input("Enter username: ")
password = getpass.getpass("Enter password:")  # Use getpass to hide password input
query = "SELECT * FROM users WHERE username = %s AND password = %s"
cursor.execute(query, (username, password))

Enter username: user1
Enter password:··········


**Step 4: Create Secure Roles and Grant Limited Permissions**




In [None]:
#Create new user
query="CREATE USER 'report_user'@'localhost' IDENTIFIED BY 'SecureP@ss!';"
cursor.execute(query)

In [None]:
#Grant limited access
query="GRANT SELECT ON secure_app.* TO 'report_user'@'localhost';"
cursor.execute(query)

In [None]:
#View permissions
query="SHOW GRANTS FOR 'report_user'@'localhost';"
cursor.execute(query)
for x in cursor:
  print(x)

('GRANT USAGE ON *.* TO `report_user`@`localhost`',)
('GRANT SELECT ON `secure_app`.* TO `report_user`@`localhost`',)


**Step 5: Encrypt Passwords**
- Use hashlib library to encript password
- Why Hash Passwords?
  - **Security**: Hashing converts passwords into irreversible, unique strings. If a database is breached, hashed passwords are much harder to crack than plain text passwords.
 - **Privacy**: Hashing helps protect user privacy by preventing the storage of actual passwords.
 - **Best Practice**: Hashing is a standard security practice for password storage.

In [None]:
#Encripyt password with hash
import hashlib
password = hashlib.sha256("admin123".encode()).hexdigest()

In [None]:
#View encrypted password
password

'240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9'

In [None]:
password = hashlib.sha256("admin1234".encode()).hexdigest()

**Step 6: Enable General Log and Audit Trail**

In [None]:
query='''
SET GLOBAL general_log = 'ON';
SHOW VARIABLES LIKE 'general_log_file';
'''
cursor.execute(query)
for x in cursor:
  print(x)

('general_log_file', '/var/lib/mysql/b79dba7f10f2.log')


- Log all user activity for auditing.

**Step 7: Practice Column-Level Encryption**

In [None]:
#Store encrypted data
query='''
 INSERT INTO users (username, password)
 VALUES ('secure_user', AES_ENCRYPT('securepass', 'encryption_key'));
 '''
cursor.execute(query)

DatabaseError: 1366 (HY000): Incorrect string value: '\xFAI\x9F5\x87\x82...' for column 'password' at row 1

In [None]:
# Change the password column data type to VARBINARY or BLOB
query = '''
ALTER TABLE users
MODIFY COLUMN password VARBINARY(255);  -- Or BLOB if needed
'''
cursor.execute(query)

# Now you can insert the encrypted data:
query = '''
INSERT INTO users (username, password)
VALUES ('secure_user', AES_ENCRYPT('securepass', 'encryption_key'));
'''
cursor.execute(query)

In [None]:
query='''
 SELECT username, CAST(AES_DECRYPT(password, 'encryption_key') AS CHAR) AS decrypted_password
 FROM users;
 '''
cursor.execute(query)
for x in cursor:
  print(x)

**Step 8: Close Connection and Cursor**

In [None]:
#Close cursor and connection
cursor.close()
conn.close()

----
**Conclusion:**
- SQL Security and Best Practices
SQL security is not just about writing correct queries — it's about safeguarding data, preventing misuse, and ensuring the integrity of your database systems.  
- From guarding against SQL injection to managing roles and encrypting sensitive data, security must be built into every layer of your database application.
- **SQL Injection is Preventable**
 - Always use parameterized queries or prepared statements to avoid execution of malicious inputs.
- **Principle of Least Privilege**
  - Assign users only the permissions they absolutely need. Avoid using root or admin for general queries.
- **User and Role Management**
  - Define roles for different responsibilities and enforce role-based access control.

- **Data Encryption**
 - Use column-level encryption for sensitive fields like passwords and personal information.
 - Enable data-at-rest and data-in-transit encryption (SSL/TLS).

- **Logging and Auditing**
  - Enable general logs, slow query logs, and use auditing tools to track suspicious activity.

- **Secure Authentication**
 - Use strong passwords, password plugins (e.g., caching_sha2_password), and password policies.

- **Backups and Recovery**
 - Maintain regular, secure backups and test recovery strategies to prevent data loss.





--------
###**References:**
- https://dev.mysql.com/doc/refman/8.4/en/encryption-functions.html
- https://quest-technology-group.com/academy/what-is-data-in-transit-vs-data-at-rest
- https://www.geeksforgeeks.org/sql-data-encryption/
- https://red9.com/blog/sql-server-best-encryption-features/