mysqldump warning in bash script

[wyclef]

How can I get the following script to be more secure? I am getting a mysqldump warning.

mysqldump: [Warning] Using a password on the command line interface can be insecure.

# Dump MySQL in staging area
echo "------------------------------------------------"
echo "Dumping MySQL..."
mysqldump -h "$host" -u "$username" -p"$password" "$dbName" > ~/tmp/"$projectName"/database.sql
echo "Done!"

Thanks!

 

[Ian]

Because you're passing the credentials in a script like that, it's insecure by design - i.e. anyone looking at the source can see the username and password.

Alternatively, you can store auth credentials in a mylogin.cnf file, which will be obfuscated:

MySQL :: MySQL 8.0 Reference Manual :: 4.6.7 mysql_config_editor — MySQL Configuration Utility

dev.mysql.com

 

[wyclef]

I see. This is the source for the credentials.

# Credentials
host=$(grep DB_HOST "config.php" |cut -d "'" -f 4)
username=$(grep DB_USER "config.php" | cut -d "'" -f 4)
password=$(grep DB_PASSWORD "config.php" | cut -d "'" -f 4)
dbName=$(grep DB_NAME "config.php" |cut -d "'" -f 4)

I am a bit new at this type of scripting. Can you elaborate on how to store the auth credentials in the .cnf file?

 

[Ian]

I am a bit new at this type of scripting. Can you elaborate on how to store the auth credentials in the .cnf file?

I've not done this before myself, so I'm not sure how it's done. However, if you're pulling the credentials direct from a config.php file, then I don't think you're adding any additional layer of insecurity - so depending on the environment, you may be ok doing this.