From: Date: July 29 2005 3:49pm
Subject: Re: mysql command line execution
List-Archive: http://lists.mysql.com/mysql/187082
Message-Id: <42EA33D4.9090408@carclasse.pt>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Michael Stassen wrote:
> Ehrwin Mina wrote:
> 
>> Jeff,
>>
>> You can make a shell script or a php script or a perl script by that 
>> way you can hide the commands you need to execute.
>>
>> eg.
>>
>> Make a shell script (myshell.sh)
>>
>> #!/bin/sh
>>
>> myuser=dbuser
>> mypasswd=dbpassword
>> mydb=dbname
>> myhost=localhost
>> myport=3306
>>
>> db1=mysql -u$myuser -pmypasswd -Dmydb -h$myhost -P$myport
>>
>> echo "repair table employee" | $db1
>> echo "unlock table " | $db1
>>
>> exit
> 
> 
> This is no more secure, as it still puts the password on the command 
> line. Your script amounts to
> 
> echo "repair table employee" | mysql -udbuser -pdbpassword -Ddbname 
> -hlocalhost -P3306
> 
> echo "unlock table " | mysql -udbuser -pdbpassword -Ddbname -hlocalhost 
> -P3306
> 
> The password is on the command line of the commands issued by the 
> script, so it can be seen with ps.

That isn't true. If you make a ps, you will see something like "mysql -p 
x xxxxxxxx ................".

As I said before, you can use something like:
"mysql -uUser --password=`cat password_file` db"

See http://lists.mysql.com/mysql/186720.

But ensure that the password_file has access restrictions like 
-r--------, so that only the owner can read it.



> 
> The solution is to put the password in an option file (usually .my.cnf) 
> instead.  The client, mysql, will read the password from the option 
> file, without making it available to ps.
> 
> Michael
> 

-- 
Nuno Pereira