Skip to main content
DVWA requires a database to store user accounts, vulnerability data, and session information. This guide covers database setup for both MariaDB/MySQL and SQLite.

Database Credentials

Configure database connection settings in config/config.inc.php: 
$_DVWA['db_server']   = '127.0.0.1';
$_DVWA['db_port']     = '3306';
$_DVWA['db_user']     = 'dvwa';
$_DVWA['db_password'] = 'p@ssw0rd';
$_DVWA['db_database'] = 'dvwa';
```bash

### Default Values

| Setting | Default Value | Description |
|---------|---------------|-------------|
| `db_server` | `127.0.0.1` | Database server address |
| `db_port` | `3306` | Database server port |
| `db_user` | `dvwa` | Database username |
| `db_password` | `p@ssw0rd` | Database password |
| `db_database` | `dvwa` | Database name |

<Warning>
  The database specified in `db_database` will be **completely erased** during setup. Always use a dedicated database for DVWA.
</Warning>

## MariaDB vs MySQL

DVWA works with both MariaDB and MySQL, but **MariaDB is strongly recommended**.

### Why MariaDB?

- Works out of the box without configuration changes
- Default in Kali Linux and many modern distributions
- Better compatibility with PHP
- No authentication plugin issues

### MySQL Considerations

MySQL requires additional configuration:
- Authentication method changes (see [Troubleshooting](#unknown-authentication-method))
- Potential compatibility issues with recent versions
- More complex setup process

If possible, migrate from MySQL to MariaDB. See the [official migration guide](https://mariadb.com/resources/blog/how-to-migrate-from-mysql-to-mariadb-on-linux-in-five-steps/).

## Creating Database User

<Note>
  **MariaDB users cannot use the root account.** You must create a dedicated DVWA user.
</Note>

### Step 1: Connect to Database

Connect as the root user:

```bash
sudo mysql
Or with password: 
sudo mysql -u root -p
```sql

### Step 2: Create Database and User

Run the following SQL commands:

```sql
MariaDB [(none)]> create database dvwa;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> create user dvwa@localhost identified by 'p@ssw0rd';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> grant all on dvwa.* to dvwa@localhost;
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Step 3: Verify Credentials

Test the database connection from the command line: 
mysql -u dvwa -pp@ssw0rd -D dvwa
```text

<Note>
  There is **no space** after the `-p` flag.
</Note>

If successful, you'll see:
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 14 Server version: 10.3.22-MariaDB-0ubuntu0.19.10.1 Ubuntu 19.10 Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement. MariaDB [dvwa]> 

## Database Setup via Web Interface

After configuring credentials, initialize the database through the web interface.

### Setup Process

1. Navigate to the setup page:
http://localhost/DVWA/setup.php 
   Or for Docker:
http://localhost:4280/setup.php 

2. Review the **Setup Check** section for any configuration issues

3. Click the **"Create / Reset Database"** button

4. If successful, you'll be redirected to the login page

### What Gets Created

The setup script creates:
- All necessary database tables
- Default user accounts (admin/password)
- Sample data for vulnerability modules
- Session management structures

<Warning>
  If the database already exists, it will be **cleared and reset**. All data will be lost.
</Warning>

## Docker Database Configuration

When using Docker Compose, the database is automatically configured.

### Docker Database Service

From `compose.yml`:

```yaml
db:
  image: docker.io/library/mariadb:10
  environment:
    - MYSQL_ROOT_PASSWORD=dvwa
    - MYSQL_DATABASE=dvwa
    - MYSQL_USER=dvwa
    - MYSQL_PASSWORD=p@ssw0rd
  volumes:
    - dvwa:/var/lib/mysql
  networks:
    - dvwa
  restart: unless-stopped

Environment Variables

VariableValuePurpose
MYSQL_ROOT_PASSWORDdvwaRoot password
MYSQL_DATABASEdvwaAuto-created database
MYSQL_USERdvwaAuto-created user
MYSQL_PASSWORDp@ssw0rdUser password

DVWA Service Configuration

The DVWA container connects to the database: 
dvwa:
  environment:
    - DB_SERVER=db
  depends_on:
    - db
```bash

The `DB_SERVER=db` setting points to the database service name.

## SQLite3 Support for SQLi Labs

You can switch SQL Injection labs to use SQLite3 instead of MySQL/MariaDB.

### When to Use SQLite

- Testing different SQL syntax
- Isolated SQL injection practice
- Lightweight testing environments

<Note>
  This only affects the SQL Injection and Blind SQL Injection modules. All other features still use MySQL/MariaDB.
</Note>

### Enable SQLite Backend

Edit `config/config.inc.php`:

```php
define('MYSQL', 'mysql');
define('SQLITE', 'sqlite');

$_DVWA['SQLI_DB'] = SQLITE;
$_DVWA['SQLITE_DB'] = 'sqli.db';
Or set via environment variable: 
SQLI_DB=sqlite
```bash

### Install PHP SQLite Extension

On Debian/Ubuntu:

```bash
sudo apt install php-sqlite3
sudo systemctl restart apache2

Reset SQLite Database

If you corrupt the database during testing: 
cp database/sqli.db.dist database/sqli.db
```bash

The default database is located at `database/sqli.db`.

## Troubleshooting

### Access Denied Errors

If you see:
Database Error #1045: Access denied for user ‘dvwa’@‘localhost’ (using password: YES). 

The username or password in the config file doesn't match the database.

**Solutions:**
1. Verify credentials in `config/config.inc.php`
2. Test login from command line:
   ```bash
   mysql -u dvwa -pp@ssw0rd -D dvwa
  1. Recreate the database user with the correct password

Database Does Not Exist

If you see: 
SQL: Access denied for user 'dvwa'@'localhost' to database 'notdvwa'
The database name in config doesn’t exist. Solutions:
  1. Verify db_database setting
  2. Create the database: 
    CREATE DATABASE dvwa;


### Connection Refused

If you see:
Fatal error: Uncaught mysqli_sql_exception: Connection refused 

The database server is not running.

**Solutions:**

Check if running:
```bash
sudo systemctl status mariadb
Start the service: 
sudo systemctl start mariadb
```bash

Verify `db_server` IP address in config.

### Unknown Authentication Method

If you see:
Database Error #2054: The server requested authentication method unknown to the client. 

MySQL is using `caching_sha2_password` instead of `mysql_native_password`.

**Solution 1: Switch to MariaDB (Recommended)**

Follow the [MariaDB migration guide](https://mariadb.com/resources/blog/how-to-migrate-from-mysql-to-mariadb-on-linux-in-five-steps/).

**Solution 2: Fix MySQL Authentication**

1. Edit `/etc/mysql/mysql.conf.d/mysqld.cnf`
2. Add under `[mysqld]`:
   ```ini
   default-authentication-plugin=mysql_native_password
  1. Restart MySQL: 
    sudo systemctl restart mysql

4. Update user authentication:
   ```sql
   ALTER USER dvwa@localhost IDENTIFIED WITH mysql_native_password BY 'p@ssw0rd';

Database Server Not Running

If you see: 
ERROR 2002 (HY000): Can't connect to local MySQL server through socket
Start the database server: 
sudo systemctl start mariadb
```bash

Enable auto-start on boot:

```bash
sudo systemctl enable mariadb

Next Steps

After database setup:
  1. Complete the web-based database initialization
  2. Log in with default credentials (admin/password)
  3. Configure security levels
  4. Start testing vulnerabilities!

Build docs developers (and LLMs) love

Get started for freeTalk to us