有时我查看我的MySQL日志,我偶然发现了一些显示明文密码的AES_ENCRYPT/AES_DECRYPT个请求.
但是MySQL general/slow query logs呢.他们的选项是可用的,还是可以设置一个不会保存在日志中的@R_404_198@变量?
从5.2.3. The General Query Log起
As of @R_404_198@ 5.6.3,passwords in statements written to the general
query log are rewritten by the server not to occur literally in plain
text. Password rewriting can be suppressed for the general query log
by starting the server with the –log-raw option. This option may be
useful for diagnostic purposes,to see the exact text of statements as
received by the server,but for security reasons is not recommended
for production use.Before @R_404_198@ 5.6.3,passwords in statements are not rewritten and the
general query log should be protected. See Section 6.1.2.2,
“07001”.
不幸的是,(自5.6.3开始)内置的反密码日志记录仅适用于@R_404_198@ PASSWORD()函数.
我为您的问题找到了一些可能的解决方案:
>对于每个查询:禁用日志,执行查询,启用日志
>在应用程序本身中隐藏密码(在您的情况下,PHP sha)
>保护日志文件,以便没有人能看到这些语句
>登录到删除密码本身的应用程序