No big problem via the loopback adapter (i.e. localhost), the packets do
not leave the local machine.
If you really want to know what happens with the password, either find a
description of the MySQL network protocol (the MySQL web site should be
a good source) or set up wireshark to look at the packets exchanged
between MySQL server and MySQL client during session setup. You could
also try to find the code used in the MySQL client library that handles
the session setup and follow the password through the code until it is
sent out via a socket function.
If you are worried about a MySQL connection between two machines via the
internet, use a VPN connection between the machines, or use a SSH
connection from the client to the server, forwarding the MySQL port
through the SSH connection. This way, you don't have to expose the MySQL
server to the internet at all, which is probably a good idea anyway. In
that case, it also doesn't matter if MySQL encrypts the password or not.
Alexander
andrew...@yahoo.com wrote:
When connecting to a MySql server with DBI->connect:
$dsn = "dbi:mysql:$database:localhost:3306";
$dbh = DBI->connect($dsn, $username, $password)
is the password sent in the clear? If so, how can this be dealt with?
I actually don't care about hiding the plaintext password in the perl
source file or encrypting the connection with the database, I just
don't want the world to see my password when it goes out over the
network. Is that so much to ask for? I would think this would be an
obvious issue but as far as I can tell, nobody has ever asked this
question before in the history of the internet. Apparently a direct
command line connection to a MySql server will not send the password
in the clear:
mysql -u andrew732 -p -h 123.456.789.876
but even that took me several hours of googling to figure out. I'm
not new to Perl but I'm new to databases; is there a good reason that
nobody seems to care about password security when it comes to
databases? I would love to be enlightened! Thanks~
