MySQL security input Password Some of the operation introduction

This article mainly introduces the MySQL security input password Some operations, the example based on Linux operating system, the need for friends can refer to the

When we run a MySQL client to connect to the MySQL server, it is not appropriate to specify our password in a way that is exposed to other users. There are four ways we can enter passwords, each of which has a certain risk. Here are the following four ways:

Security operation for MySQL password entry (translation)

First: Use the-pyour_pass or R--password=your_pass options directly after the command line.

Example:

?

1	shell> mysql-u Ksharpdabu-pksharppassword db_name

This is convenient, but not safe, because in some systems, passwords entered in this way are visible to some system state programs, such as the PS command, so that other users can invoke it to display your commands. A typical MySQL client typically overwrites command-line arguments with 0 during initialization of a sequence, but there is still a transient interval in which the value of the parameter is visible.

For example, you use shell> mysql-u ksharpdabu-pksharppassword db_name &

If you suspend the command and look at it with the Shell >ps–f command, you'll find the result as follows:

?

1 2 3 4 5 6 7 8 9

[Root@eva ~]# ps-f UID PID PPID C stime TTY time CMD root 11594 11591 0 19:54 pts/0 00:00:00-bash root 11614 11594 0 19:54 pts/0 00:00:00 mysql–uksharpdabu-px xxxxx root 11616 11594 0 19:54 pts/0 00:00:00 ps-f

The value of the password parameter becomes an asterisk and is not visible, but if you kill, you can still see the value of your password parameter.

Second: Use a-P or--password option (not followed by a password), in which case the client program requests a password from the terminal:

?

1	Shell>mysql-u ksharp-p Da_name

?

1	Enter password:*********

Because it is not visible to other users, it is more secure to log on to the MySQL server than to specify on the command line. However, this can only be used for interactive running programs, most of which we are not interactive to run a script to invoke the client, we can not use this method. In some systems, even the first line of the script is found incorrectly read and interpreted as our MySQL login password.

Third: Store your password in a configuration file, for example, in Unix, you can list your password in the [client] section of the home directory's ". My.cnf" file.

Example:

?

1 2 3

[Client] Password=your_pass

Of course, if you store the password in ". My.cnf", be sure to keep the file, in addition to yourself, must not allow other people to access the file. Ensure that the file access mode is: 400 or 600.

Use the following command:

?

1	Shell>chmod my.cnf.

Attached in Unix, the MySQL program reads the Startup options file list:

Mysql_home is an environment variable that contains the directory path where the server-related MY.CNF files reside.

If Mysql_home is not set, and there is a my.cnf file in the DataDir, Basedir does not have a my.cnf file, Mysqld_safe sets Mysql_home to DataDir. Otherwise, if Mysql_home is not set and there is no my.cnf in DataDir, then Mysqld_safe sets Mysql_home to Basedir.

A typical binary installation directory is/usr/local/var for/usr/local/mysql/data or source code installed directories. Note that this is the location of the data directory specified at the time of the configuration, and not specified with--datadir when Mysqld is started. The runtime uses--datadir to have no effect on the server looking for the option file, because the server looks for these options before processing the command-line parameters.

MySQL looks for the option file in the order described above and reads the existing option file. If you want to use an option file that does not exist, create it with a clear text editor. If more than one option file exists, the read-only option specified in the file will be the first read option specified in the file.

Note: On UNIX platforms, MySQL ignores configuration files that everyone can write to. It's intentional, it's a security measure.

Any long options that can be given on the command line when you run the MySQL program can also be given in the options file. To list the applicable options for your program, run the program with the--HELP option.

The list of profiles under other systems is as follows

In Windows, the MySQL program reads startup options from the following files:

Fourth: Storing passwords in the MYSQL_PWD environment variable

However, this method of specifying the MySQL password is extremely unsafe and should not be used. Some versions of PS include selections that show the environment in which the process is running

If you set the MYSQL_PWD, your password will be visible to everyone running PS, even on systems without such a version of PS.

On UNIX, the MySQL client saves the executed commands in the history file. By default, this file is named. mysql_history, created in your home directory. Passwords are recorded as plain text within these statements as CREATE USER, GRANT, and SET PASSWORD. So if you use these statements, they are recorded in this history file. To ensure security, you should strictly display the access mode of this file, just like the. my.cnf file you just said.

If your command interpreter is configured to maintain history, these history files, which will contain the password to enter MySQL in the command line. For example, a/.bash_history is used in bash. Any such file should have a strict access mode.