The problem with mysql is that the naive way to do it is to construct queries based on user input and then "run" them by submitting them to the mysql server. "Running" anything built out of user content is a huge source of danger. It doesn't help that mysql security is made unnecessarily opaque because of things like magic_quotes_gpc. Once you wrap your mind around it it's not hard but it takes a while to do that Honestly it seems to me like the whole sql setup is pretty suboptimal, like if we went back and reinvented databases we should do it a lot differently. A lot of applications don't need them anyway, most peoples' wordpress blogs could easily easily fit in RAM, which would make the blog run a bajillion times faster... but hosts want to cram tons and tons of people on each box, so we get mysql
its 'easier' to hack because like anything, the more popular it is, the greater amount of unintelligent people using it.
I think there's some confusion between poor application coding and a database. PHP is not mysql, so functions like magic_quotes_gpc have nothing to do with the database. MySQL is just as secure as any other database. It does exactly what it is supposed to do. If a programmer can't create secure transactions between the application and the database, it's the programmer and the application that are not secure, not the database. There would be the exact same problems with MSSQL, or Postgre, or Oracle or anything else. I think the real problem, is that php is overly easy to get started with, so there are a lot of inexperienced programmers writing very poor code. There's always going to be security holes found, but if a programmer can't provide even the most basic security, it doesn't really matter what software or database or anything else is being used.
poor coding allows the interaction with the DB to be hacked, not the actual DB. Look into SQL injection...
very well said jestep, and since MYSQL is open source, I dont think there is a way to hack it. And Yea, one time I coded for a guy who had a script runing on his site, and then I found a trick in which I could buy products without paying for them, just using HTML forms editing. Someone could just say that PHP, MYSQL or even HTML had a hole or a bug or whatever, but it was all up to bad coding, a few lines of code added, and the problem was gone.
how does something being open source mean there is no way for it to be hacked? Open source applications can be hacked just like anything else, but the users can report the security hole and will be fixed much sooner then a non open source application.
Yeah, you are right, I forgot to complete what I said. What I wanted to say is that since MYSQL is open source, and it's the most widely (at least I think so) used Open Source Database aplication, after years and years with security issues being reported by people all around the world and later fixed, I think it's unhackeable. Unless you use a recent released version of MYSQL, I think it's secure.
Having dealt with a number of Microsoft SQL and MysQL "hacks" in the past - its rarely the Database thats the issues, its normally unsafe code executing a sql injection due to bad permissions. I would say you can secure against 80% of common hacks by securing your DB by connecting with a user with limited permissions plus using strongly typed parameters in your queries.