-
Tatjana Azundris Nuernberg authored
Rewriting ("password obfuscation", WL#5706) now also works for prepared statements, i.e. we try not to log any passwords while handling prepared statements: In the general log, -- the "Query" line (for SQL PS) will no no longer contain the statement to prepare; if we prepare from a variable, its name is still given, but if we prepare from a string literal, that literal is not logged as we don't yet know whether it contains a password. - as always, --log_raw forces "old behaviour", i.e., the query is logged prior to parsing, and any passwords contained therein are printed to the log in plaintext - as before, PS protocol prepared statements only result in a Prepare line and an Execute line in the log (at prepare and at execute time, respectively); a Query line was not logged before, and is not logged now when PS protocol is used. -- the "Prepare" line will contain the statement, with passwords obfuscated -- the "Execute" line will contain the statement, with passwords obfuscated, and values filled in Query: prepare s4 from "set password=password('meow')"; execute s4; General Log: Query PREPARE s4 FROM ... Prepare SET PASSWORD FOR `root`@`localhost`=<secret> Query execute s4 Execute SET PASSWORD FOR `root`@`localhost`=<secret> In binlog, passwords are replaced with their hashes (rather than with a string literal) so replication still works. The binlog line for the above SET PASSWORD statement is, Binlog: Query use `test`; SET PASSWORD FOR 'root'@'localhost'='*82DC221D557298F6CETatjana Azundris Nuernberg authoredRewriting ("password obfuscation", WL#5706) now also works for prepared statements, i.e. we try not to log any passwords while handling prepared statements: In the general log, -- the "Query" line (for SQL PS) will no no longer contain the statement to prepare; if we prepare from a variable, its name is still given, but if we prepare from a string literal, that literal is not logged as we don't yet know whether it contains a password. - as always, --log_raw forces "old behaviour", i.e., the query is logged prior to parsing, and any passwords contained therein are printed to the log in plaintext - as before, PS protocol prepared statements only result in a Prepare line and an Execute line in the log (at prepare and at execute time, respectively); a Query line was not logged before, and is not logged now when PS protocol is used. -- the "Prepare" line will contain the statement, with passwords obfuscated -- the "Execute" line will contain the statement, with passwords obfuscated, and values filled in Query: prepare s4 from "set password=password('meow')"; execute s4; General Log: Query PREPARE s4 FROM ... Prepare SET PASSWORD FOR `root`@`localhost`=<secret> Query execute s4 Execute SET PASSWORD FOR `root`@`localhost`=<secret> In binlog, passwords are replaced with their hashes (rather than with a string literal) so replication still works. The binlog line for the above SET PASSWORD statement is, Binlog: Query use `test`; SET PASSWORD FOR 'root'@'localhost'='*82DC221D557298F6CE
Loading