SECRET

Provides the ability to hide credentials from queries. Passing credentials in queries can leave them exposed in plain text during parameterization which means they can be seen in logs and the process list. To counter this, you can use the SECRET() function. SECRET() takes a string (such as a password or other sensitive information) and replaces it with the literal string "<password>" during parameterization. The string is unchanged for the query however..

Syntax

SECRET(str)

Arguments

  • str: any string

Return Type

String

Remarks

  • There are two cases where the string passed in the SECRET() function could still be exposed:

    • When SECRET() is used as a column without an alias:

      SELECT SECRET(argument);

      Instead, use something like:

      SELECT SECRET(argument) AS column_name;
    • When the NOPARAM() function is combined with SECRET():

      SECRET(NOPARAM(argument));

Example

CALL db.log_in_now('root', SECRET('super-secret-password'));