I have had the contents of a couple of tables disappear from my database and I was wondering if there are ways that people can access your database remotely without knowing the user name and password. All the tables were not emptied so it seems very strange. It may just be a problem with the database and not a security problem?

Also what security precautions can I make to protect my database if there are ways that determined people can access it?

Through a webinterface, SQL injection can be the biggest threat to your data. If you don't check all the input that goes into your SQL query, it's possible to "inject" a custom query to your database.

For example, say your PHP script used this query:

SELECT * FROM $tablename WHERE Article = $article;

If you don't check the values of $tablename and $article, it's possible for a hacker to figure out the SQL query you're using, by manufacturing a query string ?tablename=something_wrong&article=1;
(assuming register globals is on)

This would throw mySql, as there is no table called "something_wrong", and it'll report something like this straight to the hackers browser:

Cannot execute query:
SELECT * FROM something_wrong WHERE Article = 1;
Reason: No table named 'something_wrong'

Now the hacker knows your query. Now he can try setting the query string to this:
?tablename=valid_table; DROP TABLE valid_table; #

See what it'll try to do? It'll run these 3 requests:
SELECT * FROM valid_table;
DROP TABLE valid_table; //uh oh
# WHERE Article = 1 //i.e. commented out


If your database is set up with too lenient permissions, this can work.

Aside:
Actually not quite. mysql_query() only can run one query at a time, and will return an error if you try this. But with mySql's newest versions, sub-selects are supported, which can be injected, and mysql_query() won't complain.

See these for a great real-world examples:
www.wiretrip.net
www.wiretrip.net

Garth Farley