Would it be possible, Jochem, to just make a shell script that does the call to mysql and have PHP exec() the shell script? I don't know if you'd have the same problem or not. I've never done something like this in *nix and paid attention to the process list. Also, I'm guessing you're seeing your password show up because, if I recall, putting a command in backticks `command` will evaluate the command insert it's output in that spot, so your "cat" command gets pre-evaluated before the line is executed. (maybe you knew how that worked or maybe you just knew that doing it this way worked.. but I think that's what happens if memory serves). You may be able to do something else that doesn't involve using the backticks. If you leave off the password string, it asks for the password interactively right? In DOS and I believe in *nix systems, you can simulate the interactive part with pipes. I don't know if this would work, but maybe something like this: cat /my/sql/root/passwd/file | mysql -h localhost --user=admin -D somedb < "/my/import/script.sql" 2>&1 No idea if that'd work, but it might put you in the right ballpark. Good luck and let us know when you find a good solution! -TG = = = Original message = = = hi jochem... if no one provides you with a solution.. you might replicate what's already been done in one of the php/mysql/web admin apps. given that these apps already manage the mysql functions, so i'm willing to bet that some of them have resolved this issue... -----Original Message----- From: Jochem Maas [mailto:jochem@xxxxxxxxxxxxx] Sent: Wednesday, November 29, 2006 4:10 AM To: [php] PHP General List Subject: hiding passwd in cmdlines that appear in the process list I have been using exec() for a number of things recently - one of the things I'm using it for it to run mysql in order to import SQL scripts so I have some code that looks like: // build the cmdline $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s < "%s" 2>&1', MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile, $data['db_name']['value'], $file); // run the mysql command via the cmdline $output = array(); $exit = 0; @exec($cmd, $output, $exit); everything works. but there is a security issue - one that I thought I had specifically tackled. the security issue occurs due to the fact that the process list (this is just linux I'm talking about) will show the complete command line, which in my case would look something like (in the processlist): mysql -h localhost --user=admin --password=`cat /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1 AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`" masks the actual password from any looking in the process list. indeed undeer normal shell scripting circumstances that may have been true. BUT in using php's exec() to run the cmdline causes the following to show up in the processlist: sh -c mysql -h localhost --user=admin --password=`cat /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1 AND that [sub]shell then lists it's process[s] in the list also, there is only one and it is this: mysql -h localhost --user=admin --password=MYFINGPWD -D somedb does anyone have an idea how to over come this security issue (without resorting to having to type in the mysql admin passwd interactively!) thanks & regards, Jochem ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
