在使用create user, grant和set password語句時,mysql5.6.3之前的版本都會把明文的密碼記錄到binary log中。
mysql> SELECT version();
+------------+
| version() |
+------------+
| 5.5.22-log |
+------------+
1 ROW IN SET (0.04 sec)
mysql> GRANT ALL ON test.* TO 'huarong'@'localhost' IDENTIFIED BY 'ddddddd';
Query OK, 0 ROWS affected (0.09 sec)
[root@www DATA]# ../bin/mysqlbinlog mysql-bin.000075 | grep -i GRANT
GRANT ALL ON test.* TO 'huarong'@'localhost' IDENTIFIED BY 'ddddddd'
從5.6.3開始,將不再保存明文的密碼。
mysql> SELECT version();
+--------------+
| version() |
+--------------+
| 5.6.9-rc-log |
+--------------+
1 ROW IN SET (0.00 sec)
mysql> GRANT ALL ON test.* TO 'huarong'@'localhost' IDENTIFIED BY 'ddddddd';
Query OK, 0 ROWS affected (0.01 sec)
mysql> UPDATE mysql.USER SET password=password("dddddddd");
Query OK, 8 ROWS affected (0.03 sec)
ROWS matched: 8 Changed: 8 Warnings: 0
[root@H209 DATA]# ../bin/mysqlbinlog H209-bin.000005 |grep -i password
GRANT ALL PRIVILEGES ON `test`.* TO 'huarong'@'localhost' IDENTIFIED BY PASSWORD '*8CB385371F7D036426CB076CF82053DA43F55A8B'
UPDATE mysql.USER SET password=password("dddddddd")
不過,在sql語句中直接調用password()函數,還是會被記錄到明文密碼的。
