MySQL Security Concern

Soemtimes when I encounter bugs, I have to sit and determine if they are a bug or just an issue. Or maybe, sometimes, it's how I think about something. In this case, maybe it's my process. In any case, I'm writing this up so I don't forget about it, and to share it with the larger community. This "bug" is with both MySQL v3.21 and v4.01 (I found it on 3.21 and verified it against v4.01 in my test environment).

For a little background. Several months ago I built a database for a friend on my web / database server. I added his user account so he could log in directly and created a database for him. I guess the name I chose for the database I built wasn't the best, as I deleted the database and removed his account from my system as the software (I named the database after the software I installed) didn't meet his needs (I used the MySQL commands "DROP USER 'xxx'@'localhost' and DROP USER 'xxx'@'%'". Everything looked good and I didn't see his name under the list of logins anymore (SELECT * FROM users WHERE user_login = 'xxx').

Having completely forgotten about this, I installed a newer version of the software for myself to look at a couple of weeks ago. And then last week, I re-added my friend back onto the server and granted him access to a different database. Imagine my surprise when he Instant Messaged me and asked why "his" database was still there, and what was all my data doing in it. It turned out that just dropping the user didn't remove the account access to the database, and I should also have executed a "REVOKE ALL PRIVILIGES FROM 'xxx'@'localhost' and REVOKE ALL PRIVILIGES FROM 'xxx'@'%'" on his account.

I'm not sure if this is a bug or just a detail in implementation. (And lucky for me I didn't have anything critical in there and that I trust him completely on my systems!)