是否可以在MySQL常规/慢查询日志中隐藏密码? [英] Is it possible to hide the password in MySQL General/Slow Query Logs?
问题描述
有时候,我浏览我的MySQL日志时,偶然发现了一些 AES_ENCRYPT/AES_DECRYPT 请求以纯文本格式显示密码.
Sometimes I look through my MySQL logs and I stumble upon some AES_ENCRYPT/AES_DECRYPT requests showing the password in plaintext.
如果我在PHP中创建日志,则可以删除他们.
If I create the logs inside PHP I would be able to delete them.
但是 MySQL常规/慢查询日志.他们的选项可用吗?还是可以设置一个不会保存在日志中的mySQL变量?
But what about MySQL general/slow query logs. Is their an option available or is it possible to set a mySQL variable that won't be saved in the logs?
推荐答案
不幸的是,我没有办法禁用单个语句的MySQL日志记录. MySQL文档建议出于以下原因保护日志的安全性:
Unfortunately, I know of no way to disable MySQL logging for individual statements. The MySQL documentation advises to keep the logs secured for this reason:
来自 5.2.3.常规查询日志
从MySQL 5.6.3开始,将密码写入语句中 服务器重写了查询日志,以使它不会在字面上清楚地显示 文本.可以禁止常规查询日志的密码重写 通过使用--log-raw选项启动服务器.此选项可能是 对于诊断目的很有用,可以将语句的确切文本视为 由服务器收到,但出于安全原因不建议使用 供生产使用.
As of MySQL 5.6.3, passwords in statements written to the general query log are rewritten by the server not to occur literally in plain text. Password rewriting can be suppressed for the general query log by starting the server with the --log-raw option. This option may be useful for diagnostic purposes, to see the exact text of statements as received by the server, but for security reasons is not recommended for production use.
在MySQL 5.6.3之前,语句中的密码不会被重写,并且 一般查询日志应受到保护.参见第6.1.2.2节, "密码安全管理员指南". /p>
Before MySQL 5.6.3, passwords in statements are not rewritten and the general query log should be protected. See Section 6.1.2.2, "Administrator Guidelines for Password Security".
不幸的是,(自5.6.3版本开始)内置的反密码记录功能仅适用于MySQL PASSWORD()函数.
Unfortunately, that (since 5.6.3) inbuilt anti-password-logging goes only for the MySQL PASSWORD() function.
我为您的问题找到了一些可能的解决方案:
I see a few possible solutions for your problem:
- 对于每个查询:禁用日志,执行查询,启用日志
- 将密码保存在应用程序本身中(在您的情况下为php sha)
- 保护日志文件的安全性,使任何人都看不到这些语句
- 登录可删除密码本身的应用程序
这篇关于是否可以在MySQL常规/慢查询日志中隐藏密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
