Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to hide the password in MySQL General/Slow Query Logs?

Sometimes I look through my MySQL logs and I stumble upon some AES_ENCRYPT/AES_DECRYPT requests showing the password in plaintext.

If I create the logs inside PHP I would be able to delete them.

But what about MySQL general/slow query logs. Is their an option available or is it possible to set a mySQL variable that won't be saved in the logs?

like image 421
mgutt Avatar asked Aug 16 '12 08:08

mgutt


People also ask

How do I get rid of the slow log in MySQL?

To disable or enable the slow query log or change the log file name at runtime, use the global slow_query_log and slow_query_log_file system variables. Set slow_query_log to 0 to disable the log or to 1 to enable it.

Does slow query log affect performance?

It is safe to log slow queries with execution time bigger than a second without worry about performance impact in case of CPU-bound workload. The performance impact is negligibly small in IO-bound workload even if all queries are logged.

How do I purge general logs in MySQL?

To force MySQL to start using new log files, flush the logs. Log flushing occurs when you execute a FLUSH LOGS statement or a mysqladmin flush-logs, mysqladmin refresh, mysqldump --flush-logs, or mysqldump --master-data command.


1 Answers

Unfortunately, I know of no way to disable MySQL logging for individual statements. The MySQL documentation advises to keep the logs secured for this reason:

From 5.2.3. The General Query Log

As of MySQL 5.6.3, passwords in statements written to the general query log are rewritten by the server not to occur literally in plain text. Password rewriting can be suppressed for the general query log by starting the server with the --log-raw option. This option may be useful for diagnostic purposes, to see the exact text of statements as received by the server, but for security reasons is not recommended for production use.

Before MySQL 5.6.3, passwords in statements are not rewritten and the general query log should be protected. See Section 6.1.2.2, “Administrator Guidelines for Password Security”.

Unfortunately, that (since 5.6.3) inbuilt anti-password-logging goes only for the MySQL PASSWORD() function.

I see a few possible solutions for your problem:

  1. For each query: disable the log, execute the query, enable the log
  2. Hash the password in your application itself (in your case, php sha)
  3. Secure the logfiles so noone can see the statements
  4. Log towards an application that removes the passwords itself
like image 186
Konerak Avatar answered Oct 19 '22 23:10

Konerak