Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to hide the password in MySQL General/Slow Query Logs?

Tags:

security

php

mysql

aes

Sometimes I look through my MySQL logs and I stumble upon some AES_ENCRYPT/AES_DECRYPT requests showing the password in plaintext.

If I create the logs inside PHP I would be able to delete them.

But what about MySQL general/slow query logs. Is their an option available or is it possible to set a mySQL variable that won't be saved in the logs?

like image 421
mgutt Avatar asked Aug 16 '12 08:08

mgutt

People also ask

How do I get rid of the slow log in MySQL?

To disable or enable the slow query log or change the log file name at runtime, use the global slow_query_log and slow_query_log_file system variables. Set slow_query_log to 0 to disable the log or to 1 to enable it.

Does slow query log affect performance?

It is safe to log slow queries with execution time bigger than a second without worry about performance impact in case of CPU-bound workload. The performance impact is negligibly small in IO-bound workload even if all queries are logged.

How do I purge general logs in MySQL?

To force MySQL to start using new log files, flush the logs. Log flushing occurs when you execute a FLUSH LOGS statement or a mysqladmin flush-logs, mysqladmin refresh, mysqldump --flush-logs, or mysqldump --master-data command.

1 Answers

Unfortunately, I know of no way to disable MySQL logging for individual statements. The MySQL documentation advises to keep the logs secured for this reason:

From 5.2.3. The General Query Log

As of MySQL 5.6.3, passwords in statements written to the general query log are rewritten by the server not to occur literally in plain text. Password rewriting can be suppressed for the general query log by starting the server with the --log-raw option. This option may be useful for diagnostic purposes, to see the exact text of statements as received by the server, but for security reasons is not recommended for production use.

Before MySQL 5.6.3, passwords in statements are not rewritten and the general query log should be protected. See Section 6.1.2.2, “Administrator Guidelines for Password Security”.

Unfortunately, that (since 5.6.3) inbuilt anti-password-logging goes only for the MySQL PASSWORD() function.

I see a few possible solutions for your problem:

  1. For each query: disable the log, execute the query, enable the log
  2. Hash the password in your application itself (in your case, php sha)
  3. Secure the logfiles so noone can see the statements
  4. Log towards an application that removes the passwords itself
like image 186
Konerak Avatar answered Oct 19 '22 23:10

Konerak
Sign in to Comment

Related questions

In MVC architecture, where should password encryption take place
PHP/Ajax/jQuery - Passing a jquery value to a php script
900 MB http forced downloads rarely finish
Submit HTML form to PDF
How can I get PHP to compile a LaTeX document if it (www-data) can't get access to the required packages?
Cakephp cron job to call a controller's action
PHP Mongo: Notice: Mongo::__construct(): parsing servers
OpenCart: Add categories to main menu?
Make my own api with oauth
Accessing class constant trough property doesn't work
PoEdit and PHP annotations
More concise ternary expression?
How Can I Detect the Characters Defined in a Font?
Can PHP child classes alter parameters of overridden methods?
APC not speeding up PHP 5.4
NULL character found in serialized string
NetBeans code template for using all the arguments declared in the function's header
submitting the form after successful paypal money transaction using php
how to convert zval to vector for php extension?
Joomla | PHP: Have a category blog listing / latest articles within the menu structure

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!