A search of the CERT database shows more reported vulnerabilities in MS SQL than MySQL. On the plus side, Oracle seems to be much worse. MySQL being open source also gives it the advantage of community review so that developers and hackers can explore the code and find and patch vulnerabilities before the product ships, reducing the number of vulnerabilities in the final product. But any product, especially one designed to be used on the Internet, will have exploits. The important thing is finding the patches and applying them promptly, as well as ensuring that the application is well protected - direct access to the database is restricted, and all scripts that access the database are secured. I have seen extremely well secured databases that have been wiped out by a user adding a few extra characters to a login screen.
By well secured I mean the database had all the latest patches, remote connections were blocked via the firewall, the access passwords were changed regularly - all of which didn't matter because of a flaw in a web site script.
Related SP thread:
? about p74 of Sitepoint db book
there are several Windows vulnerabilities that indirectly cause SQL Server security issues.
- I have only used MySQL and Sybase SQL myself.
- I have never used MS SQL server, but as far as I know it is one of the better products from MS.
- May be a too tight integration with MS OS. Is it available on Linux platforms?
MySQL has one major flaw. The password for the root user is by default the same as root or Administrator on the server it was installed on. It must be changed after the install and unfortunately that does not happen often enough.
Personal opinion; I think the security provided by the OS is much more important than the DB server. If you can't get into the OS the server is a lot safer.
I would like to see these servers switch to the ssh model of user keys rather than passwords for connections.
"The future is here. It's just not evenly distributed.