How to securely enter passwords in MySQL _ MySQL

This article describes how to securely enter a password for MySQL. The example is based on the Linux operating system. For more information, see when we run the mysql client to connect to the mysql server, it is inappropriate to specify our password in an exposed way that can be discovered by other users. There are four password input methods, each of which is risky. The following describes the four methods:

Secure operation for MySQL password input)

First, use-pyour_pass or r -- password = your_pass directly after the command line.

Example:

shell> mysql -u ksharpdabu -pksharppassword  db_name

This method is convenient, but not secure, because in some systems, passwords entered in this method are visible to some system state programs, such as ps commands, allows other users to call to display your commands. Generally, mysql clients normally use zero overwrite command line parameters during the initialization sequence, but there is still a short interval between internal values visible.

For example, you can use shell> mysql-u ksharpdabu-pksharppassword db_name &

Run shell> ps-f to suspend the command. The result is as follows:

[root@EVA ~]# ps -fUID    PID PPID C STIME TTY     TIME CMDroot   11594 11591 0 19:54 pts/0  00:00:00 -bashroot   11614 11594 0 19:54 pts/0  00:00:00 mysql –uksharpdabu  -px xxxxxroot   11616 11594 0 19:54 pts/0  00:00:00 ps -f

The password parameter value is changed to an asterisk, which is invisible. However, you can still see your password parameter value when you kill it.

Type 2: Use a-p or -- password option (no password is specified later). In this case, the client requests the password from the terminal:

shell>mysql -u ksharp -p da_name

Enter password:*********

Because it is invisible to other users, it is more secure to log on to the mysql server than specified in the command line. However, this method can only be used for interactive running of programs. In most cases, it is not allowed to run a non-interactive script to call the client. In some systems, you may even find that the first line of the script is incorrectly read and interpreted as our mysql login password.

Third: store your password in a configuration file. for example, in Unix, you can list your password in the [client] section of the ". my. cnf" file in the main directory.

Example:

[client]password=your_pass

Of course, if you store a password in ". my. cnf", you must keep this file safe. except yourself, you must never allow others to access this file. Ensure that the file access mode is 400 or 600.

Run the following command:

shell>chmod 600 .my.cnf

Attached to Unix, the MySQL program reads the file list of startup options:

MYSQL_HOME is an environment variable that contains the directory path of the my. cnf file related to the server.

If MYSQL_HOME is not set, and there is a my. cnf file in DATADIR, there is no my. cnf file in BASEDIR, and mysqld_safe sets MYSQL_HOME to DATADIR. Otherwise, if MYSQL_HOME is not set and my. cnf is not in DATADIR, mysqld_safe sets MYSQL_HOME to BASEDIR.

In typical cases, the directory for binary installation is/usr/local/mysql/data or the directory for source code installation is/usr/local/var. Note that this is the location of the data directory specified during configuration, rather than the location specified by -- datadir when mysqld is started. Running -- datadir does not work on the server that looks for the option file, because the server looks for these options before processing the command line parameters.

MySQL looks for option files in the above order and reads the existing option files. If the option file you want to use does not exist, create it in the plaintext text editor. If multiple option files exist, the option specified in the file to be read first must take precedence over the option specified in the file.

Note: On Unix platforms, MySQL ignores configuration files that can be written by everyone. This is intentional and a security measure.

Any long options that can be provided in the command line when running the MySQL program can also be provided in the option file. To list the applicable options of a program, run the program with the -- help option.

The configuration files in other systems are listed as follows,

In Windows, MySQL programs read startup options from the following files:

Type 4: store passwords in the MYSQL_PWD environment variables

However, this method of specifying the MySQL password is extremely insecure and should not be used. Some versions of ps include selecting the environment for displaying running processes

If you set MYSQL_PWD, your password will be seen by everyone running ps, even on systems without such a version of ps, it may also be observed.

On Unix, the mysql client saves the executed commands in the history file. By default, this file is named. mysql_history and created in your home directory. Passwords are recorded as plain text in statements such as create user, GRANT, and set password. Therefore, if these statements are used, they are recorded in this history file. To ensure security, we should strictly display the access mode of this file, just like the. my. cnf file just mentioned.

If your command interpreter is configured to keep history, these history files include the MySQL password entered in the command line. For example, in bash? /. Bash_history. Any such file should have a strict access mode.