SECRET
Provides the ability to hide credentials from queries.
Passing credentials in queries can leave them exposed in plain text during parameterization which means they can be seen in logs and the process list. To counter this, you can use the SECRET()
function. SECRET()
takes a string (such as a password or other sensitive information) and replaces it with the literal string "<password>" during parameterization. The string is unchanged for the query however..
Syntax
SECRET(str)
Arguments
str: any string
Return Type
String
Remarks
There are two cases where the string passed in the
SECRET()
function could still be exposed:When
SECRET()
is used as a column without an alias:SELECT SECRET(argument);
Instead, use something like:
SELECT SECRET(argument) AS column_name;
When the
NOPARAM()
function is combined withSECRET()
:SECRET(NOPARAM(argument));
Example
CALL db.log_in_now('root', SECRET('super-secret-password'));