Web Directory: mysql docs, manual MySQL Database Administration.php
Search:  
MySQL Reference Manual for version 5.0.0-alpha. - 5 Database Administration Go to the first, previous, next, last section, table of contents.


5 Database Administration

This chapter covers topics that deal with administering a MySQL installation, such as configuring the server, managing user accounts, and performing backups.

5.1 The MySQL Server and Server Startup Scripts

The MySQL server, mysqld, is the main program that does most of the work in a MySQL installation. The server is accompanied by several related scripts that perform setup operations when you install MySQL or that are helper programs to assist you in starting and stopping the server.

This section provides an overview of the server and related programs, and information about server startup scripts. Information about configuring the server itself is given in section 5.2 Configuring the MySQL Server.

5.1.1 Overview of the Server-Side Scripts and Utilities

All MySQL programs take many different options. However, every MySQL program provides a --help option that you can use to get a description of the program's options. For example, try mysqld --help.

You can override default options for all standard programs by specifying options on the command line or in an option file. section 4.3 Specifying Program Options.

The following list briefly describes the MySQL server and server-related programs:

mysqld
The SQL daemon (that is, the MySQL server). To use client programs, this program must be running, because clients gain access to databases by connecting to the server. See section 5.2 Configuring the MySQL Server.
mysqld-max
A version of the server that includes additional features. See section 5.1.2 The mysqld-max Extended MySQL Server.
mysqld_safe
A server startup script. mysqld_safe attempts to start mysqld-max if it exists, and mysqld otherwise. See section 5.1.3 The mysqld_safe Server Startup Script.
mysql.server
A server startup script. This script is used on systems that use run directories containing scripts that start system services for particular run levels. It invokes mysqld_safe to start the MySQL server. See section 5.1.4 The mysql.server Server Startup Script.
mysqld_multi
A server startup script that can start or stop multiple servers installed on the system. See section 5.1.5 The mysqld_multi Program for Managing Multiple MySQL Servers.
mysql_install_db
This script creates the MySQL grant tables with default privileges. It is usually executed only once, when first installing MySQL on a system.
mysql_fix_privilege_tables
This script is used after an upgrade install operation, to update the grant tables with any changes that have been made in newer versions of MySQL.

There are several other programs that also are run on the server host:

myisamchk
A utility to describe, check, optimize, and repair MyISAM tables. myisamchk is described in section 5.6.2 Using myisamchk for Table Maintenance and Crash Recovery.
make_binary_distribution
This program makes a binary release of a compiled MySQL. This could be sent by FTP to `/pub/mysql/Incoming' on support.mysql.com for the convenience of other MySQL users.
mysqlbug
The MySQL bug reporting script. It can be be used to send a bug report to the MySQL list. (You can also visit http://bugs.mysql.com/ to file a bug report online.)

5.1.2 The mysqld-max Extended MySQL Server

A MySQL-Max server is a version of the mysqld MySQL server that has been built to include additional features.

The distribution to use depends on your platform:

  • For Windows, the MySQL binary distributions include both the standard server (mysqld.exe) and the MySQL-Max server (mysqld-max.exe), so you need not get a special distribution. Just use a regular Windows distribution, available at http://www.mysql.com/downloads/mysql-4.0.php. See section 2.2.1 Installing MySQL on Windows.
  • For Linux, if you install MySQL using RPM distributions, use the regular MySQL-server RPM first to install a standard server named mysqld. Then use the MySQL-Max RPM to install a server named mysqld-max. The MySQL-Max RPM presupposes that you have already installed the regular server RPM. See section 2.2.2 Installing MySQL on Linux for more information on the Linux RPM packages.
  • All other MySQL-Max distributions contain a single server that is named mysqld but that has the additional features included.

You can find the MySQL-Max binaries on the MySQL AB Web site at http://www.mysql.com/downloads/mysql-4.0.php.

MySQL AB builds the MySQL-Max servers by using the following configure options:

--with-server-suffix=-max
This option adds a -max suffix to the mysqld version string.
--with-innodb
This option enables support for the InnoDB storage engine. MySQL-Max servers always include InnoDB support, but this option actually is used only for MySQL 3.23 because InnoDB is not included by default until MySQL 4. From MySQL 4 on, InnoDB is included by default in binary distributions, so you do not need a MySQL-Max server to obtain InnoDB support.
--with-bdb
This option enables support for the Berkeley DB (BDB) storage engine.
CFLAGS=-DUSE_SYMDIR
This define enables symbolic link support for Windows.

MySQL-Max binary distributions are a convenience for those who wish to install precompiled programs. If you build MySQL using a source distribution, you can build your own Max-like server by enabling the same features at configuration time that the MySQL-Max binary distributions are built with.

MySQL-Max servers include the BerkeleyDB (BDB) storage engine whenever possible, but not all platforms support BDB. The following table shows which platforms allow MySQL-Max binaries to include BDB:

System BDB Support
AIX 4.3 N
HP-UX 11.0 N
Linux-Alpha N
Linux-IA-64 N
Linux-Intel Y
Mac OS X N
NetWare N
SCO OSR5 Y
Solaris-Intel N
Solaris-SPARC Y
UnixWare Y
Windows/NT Y

To find out which storage engines your server supports, issue the following statement:

mysql> SHOW ENGINES;

Before MySQL 4.1.2, use the following statement instead and check the value of the variable for the storage engine in which you are interested:

mysql> SHOW VARIABLES LIKE 'have_%';
+------------------+----------+
| Variable_name    | Value    |
+------------------+----------+
| have_bdb         | NO       |
| have_crypt       | YES      |
| have_innodb      | YES      |
| have_isam        | NO       |
| have_raid        | NO       |
| have_symlink     | DISABLED |
| have_openssl     | NO       |
| have_query_cache | YES      |
+------------------+----------+

The values in the second column indicate the server's level of support for each feature:

Value Meaning
YES The feature is supported and is active.
NO The feature is not supported.
DISABLED The feature is supported but has been disabled.

A value of NO means that the server was compiled without support for the feature, so it cannot be activated at runtime.

A value of DISABLED occurs either because the server was started with an option that disables the feature, or because not all options required to enable it were given. In the latter case, the hostname.err error log file should contain a reason indicating why the option is disabled.

One situation in which you might see DISABLED occurs with MySQL 3.23 when the InnoDB storage engine is compiled in. In MySQL 3.23, you must supply at least the innodb_data_file_path option at runtime to set up the InnoDB tablespace. Without this option, InnoDB disables itself. See section 16.3 InnoDB in MySQL 3.23. You can specify configuration options for the BDB storage engine, too, but BDB will not disable itself if you do not provide them. See section 15.4.3 BDB Startup Options.

You might also see DISABLED for the InnoDB, BDB, or ISAM storage engines if the server was compiled to support them, but was started with the --skip-innodb, --skip-bdb, or --skip-isam options at runtime.

As of Version 3.23, all MySQL servers support MyISAM tables, because MyISAM is the default storage engine.

5.1.3 The mysqld_safe Server Startup Script

mysqld_safe is the recommended way to start a mysqld server on Unix and NetWare. mysqld_safe adds some safety features such as restarting the server when an error occurs and logging run-time information to an error log file. NetWare-specific behaviors are listed later in this section.

Note: Before MySQL 4.0, mysqld_safe is named safe_mysqld. To preserve backward compatibility, MySQL binary distributions for some time will include safe_mysqld as a symbolic link to mysqld_safe.

By default, mysqld_safe tries to start an executable named mysqld-max if it exists, or mysqld otherwise. Be aware of the implications of this behavior:

  • On Linux, the MySQL-Max RPM relies on this mysqld_safe behavior. The RPM installs an executable named mysqld-max, which causes mysqld_safe to automatically use that executable from that point on.
  • If you install a MySQL-Max distribution that includes a server named mysqld-max, then upgrade later to a non-Max version of MySQL, mysqld_safe will still attempt to run the old mysqld-max server. If you perform such an upgrade, you should manually remove the old mysqld-max server to ensure that mysqld_safe runs the new mysqld server.

To override the default behavior and specify explicitly which server you want to run, specify a --mysqld or --mysqld-version option to mysqld_safe..

Many of the options to mysqld_safe are the same as the options to mysqld. See section 5.2.1 mysqld Command-line Options.

Note that all options specified to mysqld_safe on the command line are passed to mysqld. If you want to use any options that are specific to mysqld_safe and that mysqld doesn't support, do not specify them on the command line. Instead, list in the [mysqld_safe] group of an option file. See section 4.3.2 Using Option Files.

mysqld_safe reads all options from the [mysqld], [server] and [mysqld_safe] sections in option files. (For backward compatibility, it also reads [safe_mysqld] sections, though you should rename such sections to [mysqld_safe] when you begin using MySQL 4.0 or later.)

mysqld_safe supports the following options:

--basedir=path
The path to the MySQL installation directory.
--core-file-size=size
The size of the core file mysqld should be able to create. The option value is passed to ulimit -c.
--datadir=path
The path to the data directory.
--defaults-extra-file=path
The name of an option file to be read in addition to the usual option files.
--defaults-file=path
The name of an option file to be read instead of the usual option files.
--err-log=path
The old form of the --log-error option, to be used before MySQL 4.0.
--ledir=path
The path to the directory containing the mysqld program. Use this option to explicitly indicate the location of the server.
--log-error=path
Write the error log to the given file. See section 5.8.1 The Error Log.
--mysqld=prog_name
The name of the server program (in the ledir directory) that you want to start.
--mysqld-version=suffix
This option is similar to the --mysqld option, but you specify only the suffix for the server program name. The basename is assumed to be mysqld. For example, if you use --mysqld-version=max, mysqld_safe will start the mysqld-max program in the ledir directory. If the argument to --mysqld-version is empty, mysqld_safe uses mysqld in the ledir directory.
--nice=priority
Use the nice program to set the server's scheduling priority to the given value. This option was added in MySQL 4.0.14.
--no-defaults
Do not read any option files.
--open-files-limit=count
The number of files mysqld should be able to open. The option value is passed to ulimit -n. Note that you need to start mysqld_safe as root for this to work properly!
--pid-file=path
The path to the process ID file.
--port=port_num
The port number to use when listening for TCP/IP connections.
--socket=path
The Unix socket file to use for local connections.
--timezone=zone
Set the TZ time zone environment variable to the given option value. Consult your operating system documentation for legal time zone specification formats.
--user={user_name | user_id}
Run the mysqld server as the user having the name user_name or the numeric user ID user_id. (``User'' in this context refers to a system login account, not a MySQL user listed in the grant tables.)

The mysqld_safe script is written so that it normally can start a server that was installed from either a source or a binary distribution of MySQL, even though these types of distributoins typically install the server in slightly different locations. (See section 2.1.8 Installation Layouts.) mysqld_safe expects one of the following conditions to be true:

  • The server and databases can be found relative to the directory from which mysqld_safe is invoked. For binary distributions, mysqld_safe looks under its working directory for `bin' and `data' directories. For source distributions, it looks for `libexec' and `var' directories. This condition should be met if you execute mysqld_safe from your MySQL installation directory (for example, `/usr/local/mysql' for a binary distribution).
  • If the server and databases cannot be found relative to the working directory, mysqld_safe attempts to locate them by absolute pathnames. Typical locations are `/usr/local/libexec' and `/usr/local/var'. The actual locations are determined from the values configured into the distribution at the time it was built. They should be correct if MySQL is installed in the location specified at configuration time.

Because mysqld_safe will try to find the server and databases relative to its own working directory, you can install a binary distribution of MySQL anywhere, as long as you run mysqld_safe from the MySQL installation directory:

shell> cd mysql_installation_directory
shell> bin/mysqld_safe &

If mysqld_safe fails, even when invoked from the MySQL installation directory, you can specify the --ledir and --datadir options to indicate the directories in which the server and databases are located on your system.

Normally, you should not edit the mysqld_safe script. Instead, configure mysqld_safe by using command-line options or options in the [mysqld_safe] section of a `my.cnf' option file. In rare cases, it might be necessary to edit mysqld_safe to get it to start the server properly. However, if you do this, your modified version of mysqld_safe might be overwritten if you upgrade MySQL in the future, so you should make a copy of your edited version that you can reinstall.

On NetWare, mysqld_safe is a NetWare Loadable Module (NLM) that is ported from the original Unix shell script. It does the following:

  1. Runs a number of system and option checks.
  2. Runs a check on MyISAM and ISAM tables.
  3. Provides a screen presence for the MySQL server.
  4. Starts mysqld, monitors it, and restarts it if it terminates in error.
  5. Sends error messages from mysqld to the `hostname.err' file in the data directory.
  6. Sends mysqld_safe screen output to the `hostname.safe' file in the data directory.

5.1.4 The mysql.server Server Startup Script

MySQL distributions on Unix include a script named mysql.server. It can be used on systems such as Linux and Solaris that use System V-style run directories to start and stop system services. It is also used by the Mac OS X Startup Item for MySQL.

mysql.server can be found in the `support-files' directory under your MySQL installation directory or in a MySQL source tree.

Note that if you use the Linux server RPM package (MySQL-server-VERSION.rpm), the mysql.server script will already have been installed in the `/etc/init.d' directory with the name `mysql'. You need not install it manually. See section 2.2.2 Installing MySQL on Linux for more information on the Linux RPM packages.

If you install MySQL from a source distribution or using a binary distribution format that does not install mysql.server automatically, you can install it manually. Instructions are provided in section 2.4.2.2 Starting and Stopping MySQL Automatically.

mysql.server reads options from the [mysql.server] and [mysqld] sections of option files. (For backward compatibility, it also reads [mysql_server] sections, though you should rename such sections to [mysql.server] when you begin using MySQL 4.0 or later.)

5.1.5 The mysqld_multi Program for Managing Multiple MySQL Servers

mysqld_multi is meant for managing several mysqld processes that listen for connections on different Unix socket files and TCP/IP ports. It can start or stop servers, or report their current status.

The program searches for groups named [mysqld#] in `my.cnf' (or in the file named by the --config-file option). # can be any positive integer. This number is referred to in the following discussion as the option group number, or GNR. Group numbers distinquish option groups from one another and are used as arguments to mysqld_multi to specify which servers you want to start, stop, or obtain a status report for. Options listed in these groups are the same that you would use in the [mysqld] group used for starting mysqld. (See, for example, section 2.4.2.2 Starting and Stopping MySQL Automatically.) However, when using multiple servers it is necessary that each one use its own value for options such as the Unix socket file and TCP/IP port number. For more information on which options must be unique per server in a multiple-server environment, see section 5.9 Running Multiple MySQL Servers on the Same Machine.

To invoke mysqld_multi, use the following syntax:

shell> mysqld_multi [options] {start|stop|report} [GNR[,GNR]...]

start, stop, and report indicate which operation you want to perform. You can perform the designated operation on a single server or multiple servers, depending on the GNR list that follows the option name. If there is no list, mysqld_multi performs the operation for all servers in the option file.

Each GNR value represents an option group number or range of group numbers. The value should be the number at the end of the group name in the option file. For example, the GNR for a group named [mysqld17] is 17. To specify a range of numbers, separate the first and last numbers by a dash. The GNR value 10-13 represents groups [mysqld10] through [mysqld13]. Multiple groups or group ranges can be specified on the command line, separated by commas. There must be no whitespace characters (spaces or tabs) in the GNR list; anything after a whitespace character is ignored.

This command starts a single server using option group [mysqld17]:

shell> mysqld_multi start 17

This command stops several servers, using option groups [mysql8] and [mysqld10] through [mysqld13]:

shell> mysqld_multi start 8,10-13

For an example of how you might set up an option file, use this command:

shell> mysqld_multi --example

mysqld_multi supports the following options:

--config-file=name
Specify the name of an alternative option file. This affects where mysqld_multi looks for [mysqld#] option groups. Without this option, all options are read from the usual `my.cnf' file. The option does not affect where mysqld_multi reads its own options, which are always taken from the [mysqld_multi] group in the usual `my.cnf' file.
--example
Display an example option file.
--help
Display a help message and exit.
--log=name
Specify the name of the log file. If the file exists, log output is appended to it.
--mysqladmin=prog_name
The mysqladmin binary to be used to stop servers.
--mysqld=prog_name
The mysqld binary to be used. Note that you can specify mysqld_safe as the value for this option also. The options are passed to mysqld. Just make sure you have the directory where mysqld is located in your PATH environment variable setting or fix mysqld_safe.
--no-log
Print log information to stdout rather than to the log file. By default, output goes to the log file.
--password=password
The password of the MySQL account to use when invoking mysqladmin. Note that the password value is not optional for this option, unlike for other MySQL clients.
--tcp-ip
Connect to each MySQL server via the TCP/IP port instead of the Unix socket file. (If a socket file is missing, the server might still be running, but accessible only via the TCP/IP port.) By default, connections are made using the Unix socket file. This option affects stop and report operations.
--user=user_name
The username of the MySQL account to use when invoking mysqladmin.
--version
Display version information and exit.

Some notes about mysqld_multi:

  • Make sure that the MySQL account used for stopping the mysqld servers (with the mysqladmin program) has the same username and password for each server. Also, make sure that the account has the SHUTDOWN privilege. If the servers that you want to manage have many different usernames or passwords for the administrative accounts, you might want to create an account on each server that has the same username and password. For example, you might set up a common multi_admin account by executing the following commands for each server:
    shell> mysql -u root -S /tmp/mysql.sock -proot_password
    mysql> GRANT SHUTDOWN ON *.*
        -> TO 'multi_admin'@'localhost' IDENTIFIED BY 'multipass';
    
    See section 5.4.2 How the Privilege System Works. You will have to do this for each mysqld server. Change the connection parameters appropriately when connecting to each one. Note that the host part of the account name must allow you to connect as multi_admin from the host where you want to run mysqld_multi.
  • The --pid-file option is very important if you are using mysqld_safe to start mysqld (for example, --mysqld=mysqld_safe) Every mysqld should have its own process ID file. The advantage of using mysqld_safe instead of mysqld is that mysqld_safe ``guards'' its mysqld process and will restart it if the process terminates due to a signal sent using kill -9, or for other reasons such as a segmentation fault. Please note that the mysqld_safe script might require that you start it from a certain place. This means that you might have to change location to a certain directory before running mysqld_multi. If you have problems starting, please see the mysqld_safe script. Check especially the lines:
    ----------------------------------------------------------------
    MY_PWD=`pwd`
    # Check if we are starting this relative (for the binary release)
    if test -d $MY_PWD/data/mysql -a -f ./share/mysql/english/errmsg.sys -a \
     -x ./bin/mysqld
    ----------------------------------------------------------------
    
    See section 5.1.3 The mysqld_safe Server Startup Script. The test performed by these lines should be successful, or you might encounter problems.
  • The Unix socket file and the TCP/IP port must be different for every mysqld.
  • You might want to use the --user option for mysqld, but in order to do this you need to run the mysqld_multi script as the Unix root user. Having the option in the option file doesn't matter; you will just get a warning, if you are not the superuser and the mysqld processes are started under your own Unix account. Important: Make sure that the data directory is fully accessible to the Unix account that the specific mysqld process is started as. Do not use the Unix root account for this, unless you know what you are doing.
  • Most important: Before using mysqld_multi be sure that you understand the meanings of the options that are passed to the mysqld servers and why you would want to have separate mysqld processes. Beware of the dangers of using multiple mysqld servers with the same data directory. Use separate data directories, unless you know what you are doing. Starting multiple servers with the same data directory will not give you extra performance in a threaded system. See section 5.9 Running Multiple MySQL Servers on the Same Machine.

The following example shows how you might set up an option file for use with mysqld_multi. The first and fifth [mysqld#] group were intentionally left out from the example to illustrate that you can have ``gaps'' in the option file. This gives you more flexibility. The order in which the mysqld programs are started or stopped depends on the order in which they appear in the option file.

# This file should probably be in your home dir (~/.my.cnf)
# or /etc/my.cnf
# Version 2.1 by Jani Tolonen

[mysqld_multi]
mysqld     = /usr/local/bin/mysqld_safe
mysqladmin = /usr/local/bin/mysqladmin
user       = multi_admin
password   = multipass

[mysqld2]
socket     = /tmp/mysql.sock2
port       = 3307
pid-file   = /usr/local/mysql/var2/hostname.pid2
datadir    = /usr/local/mysql/var2
language   = /usr/local/share/mysql/english
user       = john

[mysqld3]
socket     = /tmp/mysql.sock3
port       = 3308
pid-file   = /usr/local/mysql/var3/hostname.pid3
datadir    = /usr/local/mysql/var3
language   = /usr/local/share/mysql/swedish
user       = monty

[mysqld4]
socket     = /tmp/mysql.sock4
port       = 3309
pid-file   = /usr/local/mysql/var4/hostname.pid4
datadir    = /usr/local/mysql/var4
language   = /usr/local/share/mysql/estonia
user       = tonu

[mysqld6]
socket     = /tmp/mysql.sock6
port       = 3311
pid-file   = /usr/local/mysql/var6/hostname.pid6
datadir    = /usr/local/mysql/var6
language   = /usr/local/share/mysql/japanese
user       = jani

See section 4.3.2 Using Option Files.

5.2 Configuring the MySQL Server

This section discusses MySQL server configuration topics:

  • Startup options that the server supports
  • How to set the server SQL mode
  • Server system variables
  • Server status variables

5.2.1 mysqld Command-line Options

When you start the mysqld server, you can specify program options using any of the methods described in section 4.3 Specifying Program Options. The most common methods are to provide options in an option file or on the command line. However, in most cases it is desirable to make sure the server uses the same options each time it runs. The best way to ensure this is to list them in an option file. See section 4.3.2 Using Option Files.

mysqld reads options from the [mysqld] and [server] groups. mysqld_safe reads options from the [mysqld], [server], [mysqld_safe] and [safe_mysqld] groups. mysql.server reads options from the [mysqld] and [mysql.server] groups. An embedded MySQL server usually reads options from the [server], [embedded] and [xxxxx_SERVER] groups, where xxxxx is the name of the application into which the server is embedded.

mysqld accepts many command-line options. For a list, execute mysqld --help. Before MySQL 4.1.1, --help prints the full help message. As of 4.1.1, it prints a brief message; to see the full list, use mysqld --verbose --help.

The following list shows some of the most common server options. Additional options are described elsewhere:

You can also set the value of a server system variable by using the variable name as an option, as described later in this section.

--help, -?
Display a short help message and exit. Before MySQL 4.1.1, --help displays the full help message. As of 4.1.1, it displays an abbreviated message only. Use both the --verbose and --help options to see the full message.
--ansi
Use standard SQL syntax instead of MySQL syntax. See section 1.8.3 Running MySQL in ANSI Mode. For more precise control over the server SQL mode, use the --sql-mode option instead.
--basedir=path, -b path
The path to the MySQL installation directory. All paths are usually resolved relative to this.
--big-tables
Allow large result sets by saving all temporary sets on file. This option prevents most ``table full'' errors, but also slows down queries for which in-memory tables would suffice. Since Version 3.23.2, MySQL is able to handle large result sets automatically by using memory for small temporary tables and switching to disk tables where necessary.
--bind-address=IP
The IP address to bind to.
--console
Write the error log messages to stderr/stdout even if --log-error is specified. On Windows, mysqld will not close the console screen if this option is used.
--character-sets-dir=path
The directory where character sets are installed. See section 5.7.1 The Character Set Used for Data and Sorting.
--chroot=path
Put the mysqld server in a closed environment during startup by using the chroot() system call. This is a recommended security measure as of MySQL 4.0. (MySQL 3.23 is not able to provide a chroot() jail that is 100% closed.) Note that use of this option somewhat limits LOAD DATA INFILE and SELECT ... INTO OUTFILE.
--core-file
Write a core file if mysqld dies. For some systems, you must also specify the --core-file-size option to mysqld_safe. See section 5.1.3 The mysqld_safe Server Startup Script. Note that on some systems, such as Solaris, you will not get a core file if you are also using the --user option.
--datadir=path, -h path
The path to the data directory.
--debug[=debug_options], -# [debug_options]
If MySQL is configured with --with-debug, you can use this option to get a trace file of what mysqld is doing. The debug_options string often is 'd:t:o,filename'. See section D.1.2 Creating Trace Files.
--default-character-set=charset
Use charset as the default character set. See section 5.7.1 The Character Set Used for Data and Sorting.
--default-collation=collation
Use collation as the default collation. This option is available as of MySQL 4.1.1. See section 5.7.1 The Character Set Used for Data and Sorting.
--default-storage-engine=type
This option is a synonym for --default-table-type. It is available as of MySQL 4.1.2.
--default-table-type=type
Set the default table type for tables. See section 15 MySQL Storage Engines and Table Types.
--delay-key-write[= OFF | ON | ALL]
How the DELAYED KEYS option should be used. Delayed key writing causes key buffers not to be flushed between writes for MyISAM tables. OFF disables delayed key writes. ON enables delayed key writes for those tables that were created with the DELAYED KEYS option. ALL delays key writes for all MyISAM tables. Available as of MySQL 4.0.3. See section 7.5.2 Tuning Server Parameters. See section 15.1.1 MyISAM Startup Options. NOTE: If you set this variable to ALL, you should not use MyISAM tables from another program (like from another MySQL server or with myisamchk) when the table is in use. Doing so, will lead to index corruption.
--delay-key-write-for-all-tables
Old form of --delay-key-write=ALL for use prior to MySQL 4.0.3. As of 4.0.3, use --delay-key-write instead.
--des-key-file=file_name
Read the default keys used by DES_ENCRYPT() and DES_DECRYPT() from this file.
--enable-external-locking
Enable system locking. Note that if you use this option on a system on which lockd does not fully work (as on Linux), you will easily get mysqld to deadlock. This option previously was named --enable-locking. NOTE: If you use this option to enable updates to MyISAM tables from many MySQL processes, you have to ensure that these conditions are satisfied:
  • You should not use the query cache for queries that uses tables that are updated by another process.
  • You should not use --delay-key-write=ALL or DELAY_KEY_WRITE=1 on any shared tables.
The easiest way to ensure this is to always use --enable-locking together with --delay-key-write=OFF --query-cache-size=0. (This is not done by default as in many setups it's useful to have a mixture of the above options).
--enable-named-pipe
Enable support for named pipes. This option applies only on Windows NT, 2000, and XP systems, and can be used only with the mysqld-nt and mysqld-max-nt servers that support named pipe connections.
--exit-info, -T
This is a bit mask of different flags you can use for debugging the mysqld server. Do not use this option unless you know exactly what it does!
--flush
Flush all changes to disk after each SQL statement. Normally MySQL only does a write of all changes to disk after each SQL statement and lets the operating system handle the syncing to disk. See section A.4.1 What to Do if MySQL Keeps Crashing.
--init-file=file
Read SQL statements from this file at startup. Each statement must be on a single line and should not include comments.
--language=lang_name, -L lang_name
Client error messages in given language. lang_name can be given as the language name or as the full pathname to the directory where the language files are installed. See section 5.7.2 Setting the Error Message Language.
--log[=file], -l [file]
Log connections and queries to this file. See section 5.8.2 The General Query Log. If you don't specify a file name, MySQL will use hostname.log as filename.
--log-bin=[file]
Log all queries that change data to this file. Used for backup and replication. See section 5.8.4 The Binary Log. If you don't specify a file name, MySQL will use hostname-bin as filename.
--log-bin-index[=file]
The index file for binary log file names. See section 5.8.4 The Binary Log. If you don't specify file name, MySQL will use hostname-bin.index as filename.
--log-error[=file]
Log errors and startup messages to this file. See section 5.8.1 The Error Log. If you don't specify file name, MySQL will use hostname.err as filename.
--log-isam[=file]
Log all ISAM/MyISAM changes to this file (used only when debugging ISAM/MyISAM).
--log-long-format
Log some extra information to the log files (update log, binary update log, and slow queries log, whatever log has been activated). For example, username and timestamp are logged for queries. If you are using --log-slow-queries and --log-long-format, then queries that are not using indexes also are logged to the slow query log. Note that --log-long-format is deprecated as of MySQL version 4.1, when --log-short-format was introduced (the long log format is the default setting since version 4.1). Also note that starting with MySQL 4.1 the --log-queries-not-using-indexes option is available for the purpose of logging queries that do not use indexes to the slow queries log.
--log-queries-not-using-indexes
If you are using this option with --log-slow-queries, then also queries that are not using indexes are logged to the slow query log. This option is available as of MySQL 4.1. See section 5.8.5 The Slow Query Log.
--log-short-format
Log less information to the log files (update log, binary update log, and slow queries log, whatever log has been activated). For example, username and timestamp are not logged for queries. This options was introduced in MySQL 4.1.
--log-slow-queries[=file]
Log all queries that have taken more than long_query_time seconds to execute to file. Note that the default for the amount of information logged has changed in MySQL 4.1. See the --log-long-format and --log-long-format options for details. See section 5.8.5 The Slow Query Log.
--log-update[=file]
Log updates to file.# where # is a unique number if not given. See section 5.8.3 The Update Log. The update log is deprecated and is removed in MySQL 5.0.0; you should use the binary log instead (--log-bin). See section 5.8.4 The Binary Log. Starting from version 5.0.0, using --log-update will just turn on the binary log instead (see section C.1.2 Changes in release 5.0.0 (22 Dec 2003: Alpha)).
--log-warnings, -W
Print out warnings like Aborted connection... to the `.err' file. Enabling this option is recommended, for example, if you use replication (you will get more information about what is happening, such as messages about network failures and reconnections). See section A.2.11 Communication Errors / Aborted Connection. This option was named --warnings before MySQL 4.0.
--low-priority-updates
Table-modifying operations (INSERT/DELETE/UPDATE) will have lower priority than selects. It can also be done via {INSERT | REPLACE | UPDATE | DELETE} LOW_PRIORITY ... to lower the priority of only one query, or by SET LOW_PRIORITY_UPDATES=1 to change the priority in one thread. See section 7.3.2 Table Locking Issues.
--memlock
Lock the mysqld process in memory. This works on systems such as Solaris that support the mlockall() system call. This might help if you have a problem where the operating system is causing mysqld to swap on disk. Note that use of this option requires that you run the server as root, which is normally not a good idea for security reasons.
--myisam-recover [=option[,option...]]]
Set the MyISAM storage engine recovery mode. The option value is any combination of the values of DEFAULT, BACKUP, FORCE or QUICK. If you specify multiple values, seprate them by commas. You can also use a value of "" to disable this option. If this option is used, mysqld will on open check if the table is marked as crashed or if the table wasn't closed properly. (The last option works only if you are running with --skip-external-locking.) If this is the case mysqld will run check on the table. If the table was corrupted, mysqld will attempt to repair it. The following options affect how the repair works:
Option Description
DEFAULT The same as not giving any option to --myisam-recover.
BACKUP If the data table was changed during recover, save a backup of the `tbl_name.MYD' datafile as `tbl_name-datetime.BAK'.
FORCE Run recovery even if we will lose more than one row from the `.MYD' file.
QUICK Don't check the rows in the table if there aren't any delete blocks.
Before a table is automatically repaired, MySQL will add a note about this in the error log. If you want to be able to recover from most problems without user intervention, you should use the options BACKUP,FORCE. This will force a repair of a table even if some rows would be deleted, but it will keep the old datafile as a backup so that you can later examine what happened.
--new
From version 4.0.12, the --new option can be used to make the server behave as 4.1 in certain respects, easing a 4.0 to 4.1 upgrade:
  • TIMESTAMP is returned as a string with the format 'YYYY-MM-DD HH:MM:SS'. See section 12 Column Types.
This option can be used to help you see how your applications will behave in MySQL 4.1, without actually upgrading to 4.1.
--pid-file=path
The path to the process ID file used by mysqld_safe.
--port=num, -P num
The port number to use when listening for TCP/IP connections.
--old-protocol, -o
Use the 3.20 protocol for compatibility with some very old clients. See section 2.5.6 Upgrading from Version 3.20 to 3.21.
--one-thread
Only use one thread (for debugging under Linux). This option is available only if the server is built with debugging enabled. See section D.1 Debugging a MySQL server.
--open-files-limit=
To change the number of file descriptors available to mysqld. If this is not set or set to 0, then mysqld will use this value to reserve file descriptors to use with setrlimit(). If this value is 0 then mysqld will reserve max_connections*5 or max_connections + table_cache*2 (whichever is larger) number of files. You should try increasing this if mysqld gives you the error 'Too many open files'.
--safe-mode
Skip some optimize stages.
--safe-show-database
With this option, the SHOW DATABASES statement returns only those databases for which the user has some kind of privilege. From version 4.0.2 this option is deprecated and doesn't do anything (the option is enabled by default) as we now have the SHOW DATABASES privilege. See section 14.5.1.2 GRANT and REVOKE Syntax.
--safe-user-create
If this is enabled, a user can't create new users with the GRANT statement, if the user doesn't have INSERT privilege to the mysql.user table or any column in this table.
--skip-bdb
Disable the BDB storage engine. This saves memory and might speed up some operations. Do not use this operation if you require BDB tables.
--skip-concurrent-insert
Turn off the ability to select and insert at the same time on MyISAM tables. (This is only to be used if you think you have found a bug in this feature.)
--skip-delay-key-write
Ignore the DELAY_KEY_WRITE option for all tables. As of MySQL 4.0.3, you should use --delay-key-write=OFF instead. See section 7.5.2 Tuning Server Parameters.
--skip-external-locking
Don't use system locking. To use isamchk or myisamchk you must shut down the server. See section 1.2.3 MySQL Stability. Note that in MySQL Version 3.23, you can use CHECK TABLE and REPAIR TABLE to check and repair MyISAM tables. This option previously was named --skip-locking.
--skip-grant-tables
This option causes the server not to use the privilege system at all. This gives everyone full access to all databases! (You can tell a running server to start using the grant tables again by executing a mysqladmin flush-privileges or mysqladmin reload command, or by issuing a FLUSH PRIVILEGES statement.)
--skip-host-cache
Do not use the internal hostname cache for faster name-IP resolution. Instead, query the DNS server every time a client connects. See section 7.5.5 How MySQL uses DNS.
--skip-innodb
Disable the InnoDB storage engine. This saves memory and disk space and might speed up some operations. Do not use this operation if you require InnoDB tables.
--skip-isam
Disable the ISAM storage engine. As of MySQL 4.1, ISAM is disabled by default, so this option applies only if the server was configured with support for ISAM. This option was added in MySQL 4.1.1.
--skip-name-resolve
Do not resolve hostnames when checking client connections. Use only IP numbers. If you use this option, all Host column values in the grant tables must be IP numbers or localhost. See section 7.5.5 How MySQL uses DNS.
--skip-networking
Don't listen for TCP/IP connections at all. All interaction with mysqld must be made via named pipes (on Windows) or Unix socket files (on Unix). This option is highly recommended for systems where only local clients are allowed. See section 7.5.5 How MySQL uses DNS.
--skip-new
Don't use new, possibly wrong routines.
--skip-symlink
This is the old form of --skip-symbolic-links, for use before MySQL 4.0.13.
--symbolic-links, --skip-symbolic-links
Enable or disable symbolic link support. This option has different effects on Windows and Unix:
  • On Windows, enabling symbolic links allows you to establish a symbolic link to a database directory by creating a directory.sym file that contains the path to the real directory. See section 7.6.1.3 Using Symbolic Links for Databases on Windows.
  • On Unix, enabling symbolic links means that you can link a MyISAM index file or datafile to another directory with the INDEX DIRECTORY or DATA DIRECTORY options of the CREATE TABLE statement. If you delete or rename the table, the files that its symbolic links point to also are deleted or renamed. See section 14.2.5 CREATE TABLE Syntax.
This option was added in MySQL 4.0.13.
--skip-safemalloc
If MySQL is configured with --with-debug=full, all MySQL programs checks for memory overruns during each memory allocation and memory freeing operation. This checking is very slow, so for the server you can avoid it when you don't need it by using the --skip-safemalloc option.
--skip-show-database
Don't allow the SHOW DATABASES statement, unless the user has the SHOW DATABASES privilege.
--skip-stack-trace
Don't write stack traces. This option is useful when you are running mysqld under a debugger. On some systems, you also must use this option to get a core file. See section D.1 Debugging a MySQL server.
--skip-thread-priority
Disable using thread priorities for faster response time.
--socket=path
On Unix, this option specifies the Unix socket file to use for local connections. The default value is `/tmp/mysql.sock'. On Windows, the option specifies the pipe name to use for local connections that use a named pipe. The default value is MySQL.
--sql-mode=value[,value[,value...]]
Set the SQL mode for MySQL. See section 1.8.2 Selecting SQL Modes. This option was added in 3.23.41.
--temp-pool
This option causes most temporary files created by the server to use a small set of names, rather than a unique name for each new file. This works around a problem in the Linux kernel dealing with creating many new files with different names. With the old behavior, Linux seems to ``leak'' memory, as it's being allocated to the directory entry cache rather than to the disk cache.
--transaction-isolation=level
Sets the default transaction isolation level, which can be READ-UNCOMMITTED, READ-COMMITTED, REPEATABLE-READ, or SERIALIZABLE. See section 14.4.6 SET TRANSACTION Syntax.
--tmpdir=path, -t path
The path of the directory to use for creating temporary files. It might be useful if your default /tmp directory resides on a partition that is too small to hold temporary tables. Starting from MySQL 4.1, this option accepts several paths that are used in round-robin fashion. Paths should be separated by colon characters (`:') on Unix and semicolon characters (`;') on Windows, NetWare, and OS/2. If the MySQL server is acting as a replication slave, you should not set --tmpdir to point to a directory on a memory-based filesystem or to a directory that is cleared when the server host restarts. A replication slave needs some of its temporary files to survive a machine restart so that it can replicate temporary tables or LOAD DATA INFILE operations. If files in the temporary file directory are lost when the server restarts, replication will fail.
--user={user_name | user_id}, -u {user_name | user_id}
Run the mysqld server as the user having the name user_name or the numeric user ID user_id. (``User'' in this context refers to a system login account, not a MySQL user listed in the grant tables.) This option is mandatory when starting mysqld as root. The server will change its user ID during its startup sequence, causing it to run as that particular user rather than as root. See section 5.3.1 General Security Guidelines. Starting from MySQL 3.23.56 and 4.0.12: To avoid a possible security hole where a user adds a --user=root option to some `my.cnf' file (thus causing the server to run as root), mysqld uses only the first --user option specified and produces a warning if there are multiple --user options. Options in `/etc/my.cnf' and `datadir/my.cnf' are processed before command-line options, so it is recommended that you put a --user option in `/etc/my.cnf' and specify a value other than root. The option in `/etc/my.cnf' will be found before any other --user options, which ensures that the server runs as a user other than root, and that a warning results if any other --user option is found.
--version, -V
Display version information and exit.

You can assign a value to a server system variables by using an option of the form --var_name=value. For example, --key_buffer_size=32M sets the key_buffer_size variable to a value of 32MB.

Note that when setting a variable to a value, MySQL might automatically correct it to stay within a given range, or adjust the value to the closest allowable value if only certain values are allowed.

It is also possible to set variables by using --set-variable=var_name=value or -O var_name=value syntax. However, this syntax is deprecated as of MySQL 4.0.

You can find a full description for all variables in section 5.2.3 Server System Variables. The section on tuning server parameters includes information on how to optimize them. See section 7.5.2 Tuning Server Parameters.

You can change the values of most system variables for a running server with the SET statement. See section 14.5.3.1 SET Syntax.

If you want to restrict the maximum value a startup option can be set to with SET, you can define this by using the --maximum-var_name command-line option.

5.2.2 The Server SQL Mode

The MySQL server can operate in different SQL modes, and (as of MySQL 4.1) can apply these modes differentially for different clients. This allows applications to tailor server operation to their own requirements.

Modes define what SQL syntax MySQL should support and what kind of data validation checks it should perform. This makes it easier to use MySQL in different environments and to use MySQL together with other database servers.

You can set the default SQL mode by starting mysqld with the --sql-mode="modes" option. Beginning with MySQL 4.1, you can also change the mode after startup time by setting the sql_mode variable with a SET [SESSION|GLOBAL] sql_mode='modes' statement. Setting the GLOBAL variable affects the operation of all clients that connect from that time on. Setting the SESSION variable affects only the current client. modes is a list of different modes separated by comma (`,') characters. You can retrieve the current mode by issuing a SELECT @@sql_mode statement. The default value is empty (no modes set).

The value also can be empty (--sql-mode="") if you want to reset it.

The following list describes the supported modes:

ANSI_QUOTES
Treat `"' as an identifier quote character (like the MySQL Server ``' quote character) and not as a string quote character. You can still use ``' to quote identifers in ANSI mode. With ANSI_QUOTES enabled, you cannot use double quotes to quote a literal string, because it will be intepreted as an identifier. (New in MySQL 4.0.0.)
IGNORE_SPACE
Allow spaces between a function name and the `(' character. This forces all function names to be treated as reserved words. As a result, if you want to access any database, table, or column name that is a reserved word, you must quote it. For example, because there is a USER() function, the name of the user table in the mysql database and the User column in that table become reserved, so you must quote them:
SELECT "User" FROM mysql."user";
(New in MySQL 4.0.0.)
NO_AUTO_VALUE_ON_ZERO
NO_AUTO_VALUE_ON_ZERO affects handling of AUTO_INCREMENT columns. Normally, you generate the next sequence number for the column by inserting either NULL or 0 into it. NO_AUTO_VALUE_ON_ZERO suppresses this behavior for 0 so that only NULL generates the next sequence number. This mode can be useful if 0 has been stored in a table's AUTO_INCREMENT column. (This is not a recommended practice, by the way.) For example, if you dump the table with mysqldump and then reload it, normally MySQL generates new sequence numbers when it encounters the 0 values, resulting in a table with different contents than the one that was dumped. Enabling NO_AUTO_VALUE_ON_ZERO before reloading the dump file solves this problem. (As of MySQL 4.1.1, mysqldump automatically includes statements in the dump output to enable NO_AUTO_VALUE_ON_ZERO.) (New in MySQL 4.1.1.)
NO_DIR_IN_CREATE
When creating a table, ignore all INDEX DIRECTORY and DATA DIRECTORY directives. This option is useful on slave replication servers. (New in MySQL 4.0.15.)
NO_FIELD_OPTIONS
Don't print MySQL field-specific options in the output of SHOW CREATE TABLE. This mode is used by mysqldump in portability mode. (New in MySQL 4.1.1.)
NO_KEY_OPTIONS
Don't print MySQL index-specific options in the output of SHOW CREATE TABLE. This mode is used by mysqldump in portability mode. (New in MySQL 4.1.1.)
NO_TABLE_OPTIONS
Don't print MySQL table-specific options (such as ENGINE) in the output of SHOW CREATE TABLE. This mode is used by mysqldump in portability mode. (New in MySQL 4.1.1.)
NO_UNSIGNED_SUBTRACTION
In subtraction operations, don't mark the result as UNSIGNED if one of the operands is unsigned. Note that this makes UNSIGNED BIGINT not 100% usable in all contexts. See section 13.7 Cast Functions. (New in MySQL 4.0.2.)
ONLY_FULL_GROUP_BY
Don't allow queries which in the GROUP BY part refers to a not selected column. (New in MySQL 4.0.0.)
PIPES_AS_CONCAT
Treat || as a string concatenation operator (same as CONCAT()) rather than as a synonym for OR. (New in MySQL 4.0.0.)
REAL_AS_FLOAT
Treat REAL as a synonym for FLOAT rather than as a synonym for DOUBLE. (New in MySQL 4.0.0.)

The following special modes are provided as shorthand for combinations of mode values from the preceding list. They are available as of MySQL 4.1.1.

ANSI
Equivalent to REAL_AS_FLOAT, PIPES_AS_CONCAT, ANSI_QUOTES, IGNORE_SPACE, ONLY_FULL_GROUP_BY. See section 1.8.3 Running MySQL in ANSI Mode.
DB2
Equivalent to PIPES_AS_CONCAT, ANSI_QUOTES, IGNORE_SPACE, NO_KEY_OPTIONS, NO_TABLE_OPTIONS, NO_FIELD_OPTIONS.
MAXDB
Equivalent to PIPES_AS_CONCAT, ANSI_QUOTES, IGNORE_SPACE, NO_KEY_OPTIONS, NO_TABLE_OPTIONS, NO_FIELD_OPTIONS.
MSSQL
Equivalent to PIPES_AS_CONCAT, ANSI_QUOTES, IGNORE_SPACE, NO_KEY_OPTIONS, NO_TABLE_OPTIONS, NO_FIELD_OPTIONS.
MYSQL323
Equivalent to NO_FIELD_OPTIONS.
MYSQL40
Equivalent to NO_FIELD_OPTIONS.
ORACLE
Equivalent to PIPES_AS_CONCAT, ANSI_QUOTES, IGNORE_SPACE, NO_KEY_OPTIONS, NO_TABLE_OPTIONS, NO_FIELD_OPTIONS.
POSTGRESQL
Equivalent to PIPES_AS_CONCAT, ANSI_QUOTES, IGNORE_SPACE, NO_KEY_OPTIONS, NO_TABLE_OPTIONS, NO_FIELD_OPTIONS.

5.2.3 Server System Variables

The server maintains many system variables that indicate how it is configured. All of them have default values. They can be set at server startup using options on the command line or in option files. Most of them can be set at runtime using the SET statement.

Beginning with MySQL 4.0.3, the mysqld server maintains two kinds of variables. Global variables affect the overall operation of the server. Session variables affect its operation for individual client connections.

When the server starts, it initializes all global variables to their default values. These defaults can be changed by options specified in option files or on the command line. After the server starts, those global variables that are dynamic can be changed by connecting to the server and issuing a SET GLOBAL var_name statement. To change a global variable, you must have the SUPER privilege.

The server also maintains a set of session variables for each client that connects. The client's session variables are initialized at connect time using the current values of the corresponding global variables. For those session variables that are dynamic, the client can change them by issuing a SET SESSION var_name statement. Setting a session variable requires no special privilege, but a client can change only its own session variables, not those of any other client.

A change to a global variable is visible to any client that accesses that global variable. However, it affects the corresponding session variable that is intialized from the global variable only for clients that connect after the change. It does not affect the session variable for any client that is already connected (not even that of the client that issues the SET GLOBAL statement).

When setting a variable using a startup option, variable values can be given with a suffix of K, M, or G to indicate kilobytes, megabytes, or gigabytes. For example, the following command starts the server with a key buffer size of 16 megabytes:

mysqld --key_buffer_size=16M

Before MySQL 4.0, use this syntax instead:

mysqld --set-variable=key_buffer_size=16M

The lettercase of suffix letters does not matter; 16M and 16m are equivalent.

At runtime, use the SET statement to set system variables. In this context, suffix letters cannot be used, but the value can take the form of an expression:

mysql> SET sort_buffer_size = 10 * 1024 * 1024;

To specify explicitly whether to set the global or session variable, use the GLOBAL or SESSION options:

mysql> SET GLOBAL sort_buffer_size = 10 * 1024 * 1024;
mysql> SET SESSION sort_buffer_size = 10 * 1024 * 1024;

Without either option, the statement sets the session variable.

The variables that can be set at runtime are listed in section 5.2.3.1 Dynamic System Variables.

If you want to restrict the maximum value to which a system variable can be set with the SET statement, you can specify this maximum at startup by using an option of the form --maximum-var_name at server startup. For example, to prevent the value of query_cache_size from being increased to more than 32MB at runtime, use the option --maximum-query_cache_size=32M. This feature is available as of MySQL 4.0.2.

You can view system variables and their values by using the SHOW VARIABLES statement. Many variables have both global and session values. See section 10.4 System Variables for more information.

mysql> SHOW VARIABLES;
+---------------------------------+------------------------------+
| Variable_name                   | Value                        |
+---------------------------------+------------------------------|
| back_log                        | 50                           |
| basedir                         | /usr/local/mysql             |
| bdb_cache_size                  | 8388572                      |
| bdb_home                        | /usr/local/mysql             |
| bdb_log_buffer_size             | 32768                        |
| bdb_logdir                      |                              |
| bdb_max_lock                    | 10000                        |
| bdb_shared_data                 | OFF                          |
| bdb_tmpdir                      | /tmp/                        |
| bdb_version                     | Sleepycat Software: ...      |
| binlog_cache_size               | 32768                        |
| bulk_insert_buffer_size         | 8388608                      |
| character_set                   | latin1                       |
| character_sets                  | latin1 big5 czech euc_kr     |
| concurrent_insert               | ON                           |
| connect_timeout                 | 5                            |
| convert_character_set           |                              |
| datadir                         | /usr/local/mysql/data/       |
| default_week_format             | 0                            |
| delay_key_write                 | ON                           |
| delayed_insert_limit            | 100                          |
| delayed_insert_timeout          | 300                          |
| delayed_queue_size              | 1000                         |
| flush                           | OFF                          |
| flush_time                      | 0                            |
| ft_boolean_syntax               | + -><()~*:""&|               |
| ft_max_word_len                 | 84                           |
| ft_min_word_len                 | 4                            |
| ft_query_expansion_limit        | 20                           |
| ft_stopword_file                | (built-in)                   |
| have_bdb                        | YES                          |
| have_innodb                     | YES                          |
| have_isam                       | YES                          |
| have_openssl                    | YES                          |
| have_query_cache                | YES                          |
| have_raid                       | NO                           |
| have_symlink                    | DISABLED                     |
| init_file                       |                              |
| innodb_additional_mem_pool_size | 1048576                      |
| innodb_buffer_pool_size         | 8388608                      |
| innodb_data_file_path           | ibdata1:10M:autoextend       |
| innodb_data_home_dir            |                              |
| innodb_fast_shutdown            | ON                           |
| innodb_file_io_threads          | 4                            |
| innodb_flush_log_at_trx_commit  | 1                            |
| innodb_flush_method             |                              |
| innodb_force_recovery           | 0                            |
| innodb_lock_wait_timeout        | 50                           |
| innodb_log_arch_dir             |                              |
| innodb_log_archive              | OFF                          |
| innodb_log_buffer_size          | 1048576                      |
| innodb_log_file_size            | 5242880                      |
| innodb_log_files_in_group       | 2                            |
| innodb_log_group_home_dir       | ./                           |
| innodb_mirrored_log_groups      | 1                            |
| innodb_thread_concurrency       | 8                            |
| interactive_timeout             | 28800                        |
| join_buffer_size                | 131072                       |
| key_buffer_size                 | 16773120                     |
| key_cache_age_threshold         | 300                          |
| key_cache_block_size            | 1024                         |
| key_cache_division_limit        | 100                          |
| language                        | /usr/local/mysql/share/...   |
| large_files_support             | ON                           |
| local_infile                    | ON                           |
| locked_in_memory                | OFF                          |
| log                             | OFF                          |
| log_bin                         | OFF                          |
| log_slave_updates               | OFF                          |
| log_slow_queries                | OFF                          |
| log_update                      | OFF                          |
| log_warnings                    | OFF                          |
| long_query_time                 | 10                           |
| low_priority_updates            | OFF                          |
| lower_case_table_names          | 0                            |
| max_allowed_packet              | 1047552                      |
| max_binlog_cache_size           | 4294967295                   |
| max_binlog_size                 | 1073741824                   |
| max_connect_errors              | 10                           |
| max_connections                 | 100                          |
| max_delayed_threads             | 20                           |
| max_error_count                 | 64                           |
| max_heap_table_size             | 16777216                     |
| max_join_size                   | 4294967295                   |
| max_relay_log_size              | 0                            |
| max_sort_length                 | 1024                         |
| max_tmp_tables                  | 32                           |
| max_user_connections            | 0                            |
| max_write_lock_count            | 4294967295                   |
| myisam_max_extra_sort_file_size | 268435456                    |
| myisam_max_sort_file_size       | 2147483647                   |
| myisam_recover_options          | force                        |
| myisam_repair_threads           | 1                            |
| myisam_sort_buffer_size         | 8388608                      |
| net_buffer_length               | 16384                        |
| net_read_timeout                | 30                           |
| net_retry_count                 | 10                           |
| net_write_timeout               | 60                           |
| open_files_limit                | 1024                         |
| pid_file                        | /usr/local/mysql/name.pid    |
| port                            | 3306                         |
| protocol_version                | 10                           |
| query_cache_limit               | 1048576                      |
| query_cache_size                | 0                            |
| query_cache_type                | ON                           |
| read_buffer_size                | 131072                       |
| read_rnd_buffer_size            | 262144                       |
| rpl_recovery_rank               | 0                            |
| server_id                       | 0                            |
| skip_external_locking           | ON                           |
| skip_networking                 | OFF                          |
| skip_show_database              | OFF                          |
| slave_net_timeout               | 3600                         |
| slow_launch_time                | 2                            |
| socket                          | /tmp/mysql.sock              |
| sort_buffer_size                | 2097116                      |
| sql_mode                        |                              |
| table_cache                     | 64                           |
| table_type                      | MYISAM                       |
| thread_cache_size               | 3                            |
| thread_stack                    | 131072                       |
| timezone                        | EEST                         |
| tmp_table_size                  | 33554432                     |
| tmpdir                          | /tmp/:/mnt/hd2/tmp/          |
| tx_isolation                    | READ-COMMITTED               |
| version                         | 4.0.4-beta                   |
| wait_timeout                    | 28800                        |
+---------------------------------+------------------------------+

Most system variables are described here. InnoDB system variables are listed at section 16.5 InnoDB Startup Options.

Values for buffer sizes, lengths, and stack sizes are given in bytes unless otherwise specified.

Information on tuning these variables can be found in section 7.5.2 Tuning Server Parameters.

The system variables have the following meanings. Variables with no version indicated have been present since at least MySQL 3.22.

ansi_mode
Is ON if mysqld was started with --ansi. See section 1.8.3 Running MySQL in ANSI Mode. This variable was added in MySQL 3.23.6 and removed in 3.23.41.
back_log
The number of outstanding connection requests MySQL can have. This comes into play when the main MySQL thread gets very many connection requests in a very short time. It then takes some time (although very little) for the main thread to check the connection and start a new thread. The back_log value indicates how many requests can be stacked during this short time before MySQL momentarily stops answering new requests. You need to increase this only if you expect a large number of connections in a short period of time. In other words, this value is the size of the listen queue for incoming TCP/IP connections. Your operating system has its own limit on the size of this queue. The manual page for the Unix listen(2) system call should have more details. Check your OS documentation for the maximum value for this variable. Attempting to set back_log higher than your operating system limit will be ineffective.
basedir
The MySQL installation base directory. This variable can be set with the --basedir option.
bdb_cache_size
The size of the buffer that is allocated for caching indexes and rows for BDB tables. If you don't use BDB tables, you should start mysqld with --skip-bdb to not waste memory for this cache. This variable was added in MySQL 3.23.14.
bdb_home
The base directory for BDB tables. This should be assigned the same value as the datadir variable. This variable was added in MySQL 3.23.14.
bdb_log_buffer_size
The size of the buffer that is allocated for caching indexes and rows for BDB tables. If you don't use BDB tables, you should set this to 0 or start mysqld with --skip-bdb to not waste memory for this cache. This variable was added in MySQL 3.23.31.
bdb_logdir
The directory where the BDB storage engine writes its log files. This variable can be set with the --bdb-logdir option. This variable was added in MySQL 3.23.14.
bdb_max_lock
The maximum number of locks you can have active on a BDB table (10,000 by default). You should increase this if errors such as the following occur when you perform long transactions or when mysqld has to examine many rows to calculate a query:
bdb: Lock table is out of available locks
Got error 12 from ...
This variable was added in MySQL 3.23.29.
bdb_shared_data
Is ON if you are using --bdb-shared-data. This variable was added in MySQL 3.23.29.
bdb_tmpdir
The value of the --bdb-tmpdir option. This variable was added in MySQL 3.23.14.
bdb_version
The BDB storage engine version. This variable was added in MySQL 3.23.31.
binlog_cache_size
The size of the cache to hold the SQL statements for the binary log during a transaction. A binary log cache is allocated for each client if the server supports any transactional storage engines and, starting from MySQL 4.1.2, if the server has binary log enabled (log-bin option). If you often use big, multiple-statement transactions, you can increase this to get more performance. The Binlog_cache_use and Binlog_cache_disk_use status variables can be useful for tuning the size of this variable. This variable was added in MySQL 3.23.29. See section 5.8.4 The Binary Log.
bulk_insert_buffer_size
MyISAM uses a special tree-like cache to make bulk inserts faster for INSERT ... SELECT, INSERT ... VALUES (...), (...), ..., and LOAD DATA INFILE. This variable limits the size of the cache tree in bytes per thread. Setting it to 0 disables this optimization. Note: This cache is used only when adding data to a non-empty table. The default value is 8MB. This variable was added in MySQL 4.0.3. This variable previously was named myisam_bulk_insert_tree_size.
character_set
The default character set. This variable was added in MySQL 3.23.3, then removed in MySQL 4.1.1 and replaced by the various character_set_xxx variables.
character_set_client
The character set for statements that arrive from the client. This variable was added in MySQL 4.1.1.
character_set_connection
The character set used for literals that do not have a character set introducer, for some functions, and for number-to-string conversion. This variable was added in MySQL 4.1.1.
character_set_database
The character set used by the default database. The server sets this variable whenever the default database changes. If there is no default database, the variable has the same value as character_set_server. This variable was added in MySQL 4.1.1.
character_set_results
The character set used for returning query results to the client. This variable was added in MySQL 4.1.1.
character_set_server
This variable was added in MySQL 4.1.1.
character_set_system
The character set used by the server for storing identifiers. The value is always utf8. This variable was added in MySQL 4.1.1.
character_sets
The supported character sets. This variable was added in MySQL 3.23.15.
collation_connection
This variable was added in MySQL 4.1.1.
collation_database
The collation used by the default database. The server sets this variable whenever the default database changes. If there is no default database, the variable has the same value as collation_server. This variable was added in MySQL 4.1.1.
collation_server
This variable was added in MySQL 4.1.1.
concurrent_inserts
If ON (the default), MySQL allows INSERT and SELECT statements to run concurrently for MyISAM tables that have no free blocks in the middle. You can turn this option off by starting mysqld with --safe or --skip-new. This variable was added in MySQL 3.23.7.
connect_timeout
The number of seconds the mysqld server waits for a connect packet before responding with Bad handshake.
datadir
The MySQL data directory. This variable can be set with the --datadir option.
default_week_format
The default mode value to use for the WEEK() function. This variable is available as of MySQL 4.0.14.
delay_key_write
This option applies only to MyISAM tables. It can have one of the following values to affect handling of the DELAY_KEY_WRITE table option that can be given in CREATE TABLE statements.
Option Description
OFF DELAYED_KEY_WRITE is ignored.
ON MySQL honors the DELAY_KEY_WRITE option for CREATE TABLE. This is the default value.
ALL All new opened tables are treated as if they were created with the DELAY_KEY_WRITE option enabled.
If DELAY_KEY_WRITE is enabled, this means that the key buffer for tables with this option are not flushed on every index update, but only when a table is closed. This will speed up writes on keys a lot, but if you use this feature, you should add automatic checking of all MyISAM tables by starting the server with the --myisam-recover option (for example, --myisam-recover=BACKUP,FORCE). See section 5.2.1 mysqld Command-line Options. See section 15.1.1 MyISAM Startup Options. Note that --external-lock doesn't offer any protection against index corruption for tables that uses delayed key writes. This variable was added in MySQL 3.23.8.
delayed_insert_limit
After inserting delayed_insert_limit delayed rows, the INSERT DELAYED handler thread checks whether there are any SELECT statements pending. If so, it allows them to execute before continuing to insert delayed rows.
delayed_insert_timeout
How long an INSERT DELAYED handler thread should wait for INSERT statements before terminating.
delayed_queue_size
How many rows to queue when handling INSERT DELAYED statements. If the queue becomes full, any client that issues an INSERT DELAYED statement will wait until there is room in the queue again.
flush
This is ON if you have started mysqld with the --flush option. This variable was added in MySQL 3.22.9.
flush_time
If this is set to a non-zero value, all tables will be closed every flush_time seconds to free up resources and sync unflushed data to disk. We recommend this option only on Windows 9x or Me, or on systems with minimal resources available. This variable was added in MySQL 3.22.18.
ft_boolean_syntax
The list of operators supported by boolean full-text searches performed using IN BOOLEAN MODE. This variable was added in MySQL 4.0.1. See section 13.6.1 Boolean Full-text Searches. The default variable value is '+ -><()~*:""&|'. The rules for changing the value are as follows:
  • Operator function is determined by position within the string.
  • The replacement value must be fourteen characters.
  • Each character must be an ASCII non-alphanumeric character.
  • Either the first or second character must be a space.
  • No duplicates are allowed except the phrase quoting operators in positions 11 and 12. These two characters are not required to be the same, but they are the only two that may be.
  • Positions 10, 13, and 14 (which by default are set to `:', `&', and `|') are reserved for future extensions.
ft_max_word_len
The maximum length of the word to be included in a FULLTEXT index. This variable was added in MySQL 4.0.0. Note: FULLTEXT indexes must be rebuilt after changing this variable.
ft_min_word_len
The minimum length of the word to be included in a FULLTEXT index. This variable was added in MySQL 4.0.0. Note: FULLTEXT indexes must be rebuilt after changing this variable.
ft_query_expansion_limit
The number of top matches to use for full-text searches performed using WITH QUERY EXPANSION. This variable was added in MySQL 4.1.1.
ft_stopword_file
The file from which to read the list of stopwords for full-text searches. All the words from the file are used; comments are not honored. By default, a built-in list of stopwords is used (as defined in the `myisam/ft_static.c' file). Setting this variable to an empty string ('') disables stopword filtering. This variable was added in MySQL 4.0.10. Note: FULLTEXT indexes must be rebuilt after changing this variable.
group_concat_max_len
The maximum allowed result length for the GROUP_CONCAT() function. This variable was added in MySQL 4.1.0.
have_bdb
YES if mysqld supports BDB tables. DISABLED if --skip-bdb is used. This variable was added in MySQL 3.23.30.
have_innodb
YES if mysqld supports InnoDB tables. DISABLED if --skip-innodb is used. This variable was added in MySQL 3.23.37.
have_innodb
YES if mysqld supports ISAM tables. DISABLED if --skip-isam is used. This variable was added in MySQL 3.23.30.
have_raid
YES if mysqld supports the RAID option. This variable was added in MySQL 3.23.30.
have_openssl
YES if mysqld supports SSL (encryption) of the client/server protocol. This variable was added in MySQL 3.23.43.
init_connect
A string to be executed by the server for each client that connects. The string consists of one or more SQL statements. To specify multiple statements, separate them by semicolon characters. This variable was added in MySQL 4.1.2. For example, each client begins by default with autocommit mode enabled. There is no global server variable to specify that autocommit should be disabled by default, but init_connect can be used to achieve the same effect:
SET GLOBAL init_connect='SET AUTOCOMMIT=0';
This variable can also be set on the command line or in an option file. To set the variable as just shown using an option file, include these lines:
[mysqld]
init_connect='SET AUTOCOMMIT=0'
init_file
The name of the file specified with the --init-file option when you start the server. This is a file containing SQL statements that you want the server to execute when it starts. Each statement must be on a single line and should not include comments. This variable was added in MySQL 3.23.2.
init_slave
This variable is similar to init_connect, but is a string to be executed by a slave server each time the SQL thread starts. The format of the string is the same as for the init_connect variable. This variable was added in MySQL 4.1.2.
innodb_xxx
The InnoDB system variables are listed at section 16.5 InnoDB Startup Options.
interactive_timeout
The number of seconds the server waits for activity on an interactive connection before closing it. An interactive client is defined as a client that uses the CLIENT_INTERACTIVE option to mysql_real_connect(). See also wait_timeout.
join_buffer_size
The size of the buffer that is used for full joins (joins that do not use indexes). The buffer is allocated one time for each full join between two tables. Increase this value to get a faster full join when adding indexes is not possible. (Normally the best way to get fast joins is to add indexes.)
key_buffer_size
Index blocks for MyISAM and ISAM tables are buffered and are shared by all threads. key_buffer_size is the size of the buffer used for index blocks. The key buffer is also known as the key cache. Increase the value to get better index handling (for all reads and multiple writes) to as much as you can afford. Using a value that is 25% of total memory on a machine that mainly runs MySQL is quite common. However, if you make the value too large (for example, more than 50% of your total memory) your system might start to page and become extremely slow. Remember that MySQL relies on the operating system to perform filesystem caching for data reads, so you must leave some room for the filesystem cache. For even more speed when writing many rows at the same time, use LOCK TABLES. See section 14.4.5 LOCK TABLES and UNLOCK TABLES Syntax. You can check the performance of the key buffer by issuing a SHOW STATUS statement and examining the Key_read_requests, Key_reads, Key_write_requests, and Key_writes status variables. See section 14.5.3 SET and SHOW Syntax. The Key_reads/Key_read_requests ratio should normally be less than 0.01. The Key_writes/Key_write_requests ratio is usually near 1 if you are using mostly updates and deletes, but might be much smaller if you tend to do updates that affect many rows at the same time or if you are using the DELAY_KEY_WRITE table option. The fraction of the key buffer in use can be determined using key_buffer_size in conjunction with the Key_blocks_used status variable and the buffer blocksize. From MySQL 4.1.1 on, the buffer block size is available from the key_cache_block_size server variable. The fraction of the buffer in use is:
(Key_blocks_used * key_cache_block_size) / key_buffer_size
Before MySQL 4.1.1, key cache blocks are 1024 bytes, so the fraction of the key buffer in use is:
(Key_blocks_used * 1024) / key_buffer_size
See section 7.4.6 The MyISAM Key Cache.
key_cache_age_threshold
This value controls the demotion of buffers from the hot sub-chain of a key cache to the warm sub-chain. Lower values cause demotion to happen more quickly. The minimum value is 100. The default value is 300. This variable was added in MySQL 4.1.1. See section 7.4.6 The MyISAM Key Cache.
key_cache_block_size
The size in bytes of blocks in the key cache. The default value is 1024. This variable was added in MySQL 4.1.1. See section 7.4.6 The MyISAM Key Cache.
key_cache_division_limit
The division point between the hot and warm sub-chains of the key cache buffer chain. The value is the percentage of the buffer chain to use for the warm sub-chain. Allowable values range from 1 to 100. The default value is 100. This variable was added in MySQL 4.1.1. See section 7.4.6 The MyISAM Key Cache.
language
The language used for error messages.
large_file_support
Whether mysqld was compiled with options for big file support. This variable was added in MySQL 3.23.28.
local_infile
Whether LOCAL is supported for LOAD DATA INFILE statements. This variable was added in MySQL 4.0.3.
locked_in_memory
Whether mysqld was locked in memory with --memlock. This variable was added in MySQL 3.23.25.
log
Whether logging of all queries to the general query log is enabled. See section 5.8.2 The General Query Log.
log_bin
Whether the binary log is enabled. This variable was added in MySQL 3.23.14. See section 5.8.4 The Binary Log.
log_slave_updates
Whether updates received by a slave server from a master server should be logged to the slave's own binary log. Binary logging must be enabled on the slave for this to have any effect. This variable was added in MySQL 3.23.17. See section 6.8 Replication Startup Options.
log_slow_queries
Whether slow queries should be logged. ``Slow'' is determined by the value of the long_query_time variable. This variable was added in MySQL 4.0.2. See section 5.8.5 The Slow Query Log.
log_update
Whether the update log is enabled. This variable was added in MySQL 3.22.18. Note that the binary log is preferable to the update log, which is unavailable as of MySQL 5.0. See section 5.8.3 The Update Log.
long_query_time
If a query takes longer than this many seconds, the Slow_queries counter is incremented. If you are using the --log-slow-queries option, the query is logged to the slow query log file. This value is measured in real time, not CPU time, so a query that is under the threshold on a lightly loaded system might be above the threshold on a heavily loaded one. See section 5.8.5 The Slow Query Log.
low_priority_updates
If set to 1, all INSERT, UPDATE, DELETE, and LOCK TABLE WRITE statements wait until there is no pending SELECT or LOCK TABLE READ on the affected table. This variable previously was named sql_low_priority_updates. It was added in MySQL 3.22.5.
lower_case_table_names
If set to 1, table names are stored in lowercase on disk and table name comparisons are not case sensitive. This variable was added in MySQL 3.23.6. If set to 2 (new in 4.0.18), table names are stored as given but compared in lowercase. From MySQL 4.0.2, this option also applies to database names. From 4.1.1, it also applies to table aliases. See section 10.2.2 Identifier Case Sensitivity. Note that you should not set this variable to 0 if you are running MySQL on a system that does not have case-sensitive filenames (such as Windows or Mac OS X). New in 4.0.18: If this variable is 0 and the filesystem on which the data directory is located does not have case-sensitive filenames, MySQL automatically sets lower_case_table_names to 2.
max_allowed_packet
The maximum size of one packet or any generated/intermediate string. The packet message buffer is initialized to net_buffer_length bytes, but can grow up to max_allowed_packet bytes when needed. This value by default is small, to catch big (possibly wrong) packets. You must increase this value if you are using big BLOB columns or long strings. It should be as big as the biggest BLOB you want to use. The protocol limit for max_allowed_packet is 16MB before MySQL 4.0 and 1GB thereafter.
max_binlog_cache_size
If a multiple-statement transaction requires more than this amount of memory, you will get the error Multi-statement transaction required more than 'max_binlog_cache_size' bytes of storage. This variable was added in MySQL 3.23.29.
max_binlog_size
If a write to the binary log exceeds the given value, rotate the binary logs. You cannot set this variable to more than 1GB or to less than 4096 bytes. (The minimum before MYSQL 4.0.14 is 1024 bytes.) The default value is 1GB. This variable was added in MySQL 3.23.33. Note if you are using transactions: A transaction is written in one chunk to the binary log, hence it is never split between several binary logs. Therefore, if you have big transactions, you might see binary logs bigger than max_binlog_size. If max_relay_log_size is 0, the value of max_binlog_size applies to relay logs as well. max_relay_log_size was added in MySQL 4.0.14.
max_connect_errors
If there are more than this number of interrupted connections from a host, that host is blocked from further connections. You can unblock blocked hosts with the FLUSH HOSTS statement.
max_connections
The number of simultaneous client connections allowed. Increasing this value increases the number of file descriptors that mysqld requires. See section 7.4.8 How MySQL Opens and Closes Tables for comments on file descriptor limits. See section A.2.7 Too many connections.
max_delayed_threads
Don't start more than this number of threads to handle INSERT DELAYED statements. If you try to insert data into a new table after all INSERT DELAYED threads are in use, the row will be inserted as if the DELAYED attribute wasn't specified. If you set this to 0, MySQL never creates a thread to handle DELAYED rows; in effect, this disables DELAYED entirely. This variable was added in MySQL 3.23.0.
max_error_count
The maximum number of error, warning, and note messages to be stored for display by SHOW ERRORS or SHOW WARNINGS. This variable was added in MySQL 4.1.0.
max_heap_table_size
This variable sets the maximum size to which MEMORY (HEAP) tables are allowed to grow. The value of the variable is used to calculate MEMORY table MAX_ROWS values. Setting this variable has no effect on any existing MEMORY table, unless the table is re-created with a statement such as CREATE TABLE or TRUNCATE TABLE, or altered with ALTER TABLE. This variable was added in MySQL 3.23.0.
max_insert_delayed_threads
This variable is a synonym for max_delayed_threads. It was added in MySQL 4.0.19.
max_join_size
Don't allow SELECT statements that probably will need to examine more than max_join_size row combinations or are likely to do more than max_join_size disk seeks. By setting this value, you can catch SELECT statements where keys are not used properly and that would probably take a long time. Set it if your users tend to perform joins that lack a WHERE clause, that take a long time, or that return millions of rows. Setting this variable to a value other than DEFAULT resets the SQL_BIG_SELECTS value to 0. If you set the SQL_BIG_SELECTS value again, the max_join_size variable is ignored. If a query result already is in the query cache, no result size check is performed, because the result has already been computed and it will not burden the server to send it to the client. This variable previously was named sql_max_join_size.
max_relay_log_size
If a write by a replication slave to its relay log exceeds the given value, rotate the relay log. This variable enables you to put different size constraints on relay logs and binary logs. However, setting the variable to 0 makes MySQL use max_binlog_size for both binary logs and relay logs. You must set max_relay_log_size to between 4096 bytes and 1GB (inclusive), or to 0. The default value is 0. This variable was added in MySQL 4.0.14. See section 6.3 Replication Implementation Details.
max_seeks_for_key
Limit the assumed maximum number of seeks when looking up rows based on a key. The MySQL optimizer will assume that no more than this number of key seeks will be required when searching for matching rows in a table by scanning a key, regardless of the actual cardinality of the key. By setting this to a low value (100?), you can force MySQL to prefer keys instead of table scans. This variable was added in MySQL 4.0.14.
max_sort_length
The number of bytes to use when sorting BLOB or TEXT values. Only the first max_sort_length bytes of each value are used; the rest are ignored.
max_tmp_tables
(This option doesn't yet do anything.) The maximum number of temporary tables a client can keep open at the same time.
max_user_connections
The maximum number of simultaneous connections allowed to any given MySQL account. A value of 0 means ``no limit.'' This variable was added in MySQL 3.23.34.
max_write_lock_count
After this many write locks, allow some read locks to run in between. This variable was added in MySQL 3.23.7.
myisam_max_extra_sort_file_size
If the temporary file used for fast MyISAM index creation would be larger than using the key cache by the amount specified here, prefer the key cache method. This is mainly used to force long character keys in large tables to use the slower key cache method to create the index. This variable was added in MySQL 3.23.37. Note: The value is given in megabytes before 4.0.3 and in bytes thereafter.
myisam_max_sort_file_size
The maximum size of the temporary file MySQL is allowed to use while re-creating a MyISAM index (during REPAIR TABLE, ALTER TABLE or LOAD DATA INFILE). If the file size would be bigger than this value, the index will be created using the key cache instead, which is slower. This variable was added in MySQL 3.23.37. Note: The value is given in megabytes before 4.0.3 and in bytes thereafter.
myisam_recover_options
The value of the --myisam-recover option. This variable was added in MySQL 3.23.36.
myisam_repair_threads
If this value is greater than 1, MyISAM table indexes are created in parallel (each index in its own thread) during the Repair by sorting process. The default value is 1. Note: Multi-threaded repair is still alpha quality code. This variable was added in MySQL 4.0.13.
myisam_sort_buffer_size
The buffer that is allocated when sorting MyISAM indexes during a REPAIR TABLE or when creating indexes with CREATE INDEX or ALTER TABLE. This variable was added in MySQL 3.23.16.
named_pipe
On Windows, indicates whether the server supports connections over named pipes. This variable was added in MySQL 3.23.50.
net_buffer_length
The communication buffer is reset to this size between queries. This should not normally be changed, but if you have very little memory, you can set it to the expected length of SQL statements sent by clients. If statements exceed this length, the buffer is automatically enlarged, up to max_allowed_packet bytes.
net_read_timeout
The number of seconds to wait for more data from a connection before aborting the read. When the server is reading from the client, net_read_timeout is the timeout value controlling when to abort. When the server is writing to the client, net_write_timeout is the timeout value controlling when to abort. See also slave_net_timeout. This variable was added in MySQL 3.23.20.
net_retry_count
If a read on a communication port is interrupted, retry this many times before giving up. This value should be set quite high on FreeBSD because internal interrupts are sent to all threads. This variable was added in MySQL 3.23.7.
net_write_timeout
The number of seconds to wait for a block to be written to a connection before aborting the write. See also net_read_timeout. This variable was added in MySQL 3.23.20.
open_files_limit
The number of files the operating system allows mysqld to open. This is the real value allowed by the system and might be different from the value you gave mysqld as a startup option. The value is 0 on systems where MySQL can't change the number of open files. This variable was added in MySQL 3.23.20.
pid_file
The pathname of the process ID (PID) file. This variable can be set with the --pid-file option. This variable was added in MySQL 3.23.23.
port
The port on which the server listens for TCP/IP connections. This variable can be set with the --port option.
protocol_version
The version of the client/server protocol used by the MySQL server. This variable was added in MySQL 3.23.18.
query_alloc_block_size
The allocation size of memory blocks that are allocated for objects created during query parsing and execution. If you have problems with memory fragmentation, it might help to increase this a bit. This variable was added in MySQL 4.0.16.
query_cache_limit
Don't cache results that are bigger than this. The default value is 1MB. This variable was added in MySQL 4.0.1.
query_cache_min_res_unit
The minimum size for blocks allocated by the query cache. The default value is 4KB. Tuning information for this variable is given in section 5.10.3 Query Cache Configuration. This variable is present from MySQL 4.1.
query_cache_size
The amount of memory allocated for caching query results. The default value is 0, which disables the query cache. Note that this amount of memory will be allocated even if query_cache_type is set to 0. This variable was added in MySQL 4.0.1.
query_cache_type
Set query cache type. Setting the GLOBAL value sets the type for all clients that connect thereafter. Individual clients can set the SESSION value to affect their own use of the query cache.
Option Description
0 or OFF Don't cache or retrieve results. Note that this will not deallocate the query cache buffer. To do that, you should set query_cache_size to 0.
1 or ON Cache all query results except for those that begin with SELECT SQL_NO_CACHE.
2 or DEMAND Cache results only for queries that begin with SELECT SQL_CACHE.
This variable was added in MySQL 4.0.3.
query_cache_wlock_invalidate
Normally, when one client acquires a WRITE lock on a MyISAM table, other clients are not blocked from issuing queries for the table if the query results are present in the query cache. Setting this variable to 1 causes acquisition of a WRITE lock for a table to invalidate any queries in the query cache that refer to the table. This forces other clients that attempt to access the table to wait while the lock is in effect. This variable was added in MySQL 4.0.19.
query_prealloc_size
The size of the persistent buffer used for query parsing and execution. This buffer is not freed between queries. If you are running complex queries, a larger query_prealloc_size value might be helpful in improving performance, because it can reduce the need for the server to perform memory allocation during query execution operations. This variable was added in MySQL 4.0.16.
range_alloc_block_size
The size of blocks that are allocated when doing range optimization. This variable was added in MySQL 4.0.16.
read_buffer_size
Each thread that does a sequential scan allocates a buffer of this size for each table it scans. If you do many sequential scans, you might want to increase this value. This variable was added in MySQL 4.0.3. Previously, it was named record_buffer.
read_only
When the variable is set to ON for a replication slave server, it causes the slave to allow no updates except from slave threads or from users with the SUPER privilege. This can be useful to ensure that a slave server accepts no updates from clients. This variable was added in MySQL 4.0.14.
read_rnd_buffer_size
When reading rows in sorted order after a sort, the rows are read through this buffer to avoid disk seeks. Setting the variable to a large value can improve ORDER BY performance by a lot. However, this is a buffer allocated for each client, so you should not set the global variable to a large value. Instead, change the session variable only from within those clients that need to run large queries. This variable was added in MySQL 4.0.3. Previously, it was named record_rnd_buffer.
safe_show_database
Don't show databases for which the user has no database or table privileges. This can improve security if you're concerned about people being able to see what databases other users have. See also skip_show_database. This variable was removed in MySQL 4.0.5. Instead, use the SHOW DATABASES privilege to control access by MySQL accounts to database names.
secure_auth
If the MySQL server has been started with the --secure-auth option, it blocks connections from all accounts that have passwords stored in the old (pre-4.1) format. In that case, the value of this variable is ON, otherwise it is OFF. You should enable this option if you want to prevent all usage of passwords in old format (and hence insecure communication over the network). This variable was added in MySQL 4.1.1. Note that server startup will fail with an error if this option is enabled and the privilege tables are in pre-4.1 format. When used as a client-side option, the client refuses to connect to a server if the server requires a password in old format for the client account.
server_id
The value of the --server-id option. It is used for master and slave replication servers. This variable was added in MySQL 3.23.26.
skip_external_locking
Is OFF if mysqld uses external locking. This variable was added in MySQL 4.0.3. Previously, it was named skip_locking.
skip_networking
Is ON if we allow only local (non-TCP/IP) connections. On Unix, local connections use a Unix socket file. On Windows, local connections use a named pipe. On NetWare, only TCP/IP connections are supported, so do not set this variable to ON. This variable was added in MySQL 3.22.23.
skip_show_database
This prevents people from using the SHOW DATABASES statement if they don't have the SHOW DATABASES privilege. This can improve security if you're concerned about people being able to see what databases other users have. See also safe_show_database. This variable was added in MySQL 3.23.4.
slave_net_timeout
The number of seconds to wait for more data from a master/slave connection before aborting the read. This variable was added in MySQL 3.23.40.
slow_launch_time
If creating a thread takes longer than this many seconds, the server increments the Slow_launch_threads status variable. This variable was added in MySQL 3.23.15.
socket
On Unix, this is the Unix socket file used for local client connections. On Windows, this is the name of the named pipe used for local client connections.
sort_buffer_size
Each thread that needs to do a sort allocates a buffer of this size. Increase this value for faster ORDER BY or GROUP BY operations. See section A.4.4 Where MySQL Stores Temporary Files.
sql_mode
The current server SQL mode. This variable was added in MySQL 3.23.41. See section 1.8.2 Selecting SQL Modes.
storage_engine
This variable is a synonym for table_type. It was added in MySQL 4.1.2.
table_cache
The number of open tables for all threads. Increasing this value increases the number of file descriptors that mysqld requires. You can check whether you need to increase the table cache by checking the Opened_tables status variable. See section 5.2.4 Server Status Variables. If the value of Opened_tables is large and you don't do FLUSH TABLES a lot (which just forces all tables to be closed and reopenend), then you should increase the value of the table_cache variable. For more information about the table cache, see section 7.4.8 How MySQL Opens and Closes Tables.
table_type
The default table type (storage engine). To set the table type at server startup, use the --default-table-type option. This variable was added in MySQL 3.23.0. See section 5.2.1 mysqld Command-line Options.
thread_cache_size
How many threads the server should cache for reuse. When a client disconnects, the client's threads are put in the cache if there aren't already thread_cache_size threads there. Requests for threads are satsified by reusing threads taken from the cache if possible, and only when the cache is empty is a new thread created. This variable can be increased to improve performance if you have a lot of new connections. (Normally this doesn't give a notable performance improvement if you have a good thread implementation.) By examing the difference between the Connections and Threads_created status variables (see section 5.2.4 Server Status Variables for details) you can see how efficient the thread cache is. This variable was added in MySQL 3.23.16.
thread_concurrency
On Solaris, mysqld calls thr_setconcurrency() with this value. This function allows applications to give the threads system a hint about the desired number of threads that should be run at the same time. This variable was added in MySQL 3.23.7.
thread_stack
The stack size for each thread. Many of the limits detected by the crash-me test are dependent on this value. The default is large enough for normal operation. See section 7.1.4 The MySQL Benchmark Suite.
timezone
The time zone for the server. This is set from the TZ environment variable when mysqld is started. The time zone also can be set by giving a --timezone argument to mysqld_safe. This variable was added in MySQL 3.23.15. See section A.4.6 Time Zone Problems.
tmp_table_size
If an in-memory temporary table exceeds this size, MySQL automatically converts it to an on-disk MyISAM table. Increase the value of tmp_table_size if you do many advanced GROUP BY queries and you have lots of memory.
tmpdir
The directory used for temporary files and temporary tables. Starting from MySQL 4.1, this variable can be set to a list of several paths that are used in round-robin fashion. Paths should be separated by colon characters (`:') on Unix and semicolon characters (`;') on Windows, NetWare, and OS/2. This feature can be used to spread load between several physical disks. If the MySQL server is acting as a replication slave, you should not set tmpdir to point to a directory on a memory-based filesystem or to a directory that is cleared when the server host restarts. A replication slave needs some of its temporary files to survive a machine restart so that it can replicate temporary tables or LOAD DATA INFILE operations. If files in the temporary file directory are lost when the server restarts, replication will fail. This variable was added in MySQL 3.22.4.
transaction_alloc_block_size
The allocation size of memory blocks that are allocated for storing queries that are part of a transaction to be stored in the binary log when doing a commit. This variable was added in MySQL 4.0.16.
transaction_prealloc_size
The size of the persistent buffer for transaction_alloc_blocks that is not freed between queries. By making this big enough to fit all queries in a common transaction, you can avoid a lot of malloc() calls. This variable was added in MySQL 4.0.16.
tx_isolation
The default transaction isolation level. This variable was added in MySQL 4.0.3.
version
The version number for the server.
wait_timeout
The number of seconds the server waits for activity on a non-interactive connection before closing it. On thread startup, the session wait_timeout value is initialized from the global wait_timeout value or from the global interactive_timeout value, depending on the type of client (as defined by the CLIENT_INTERACTIVE connect option to mysql_real_connect()). See also interactive_timeout.

5.2.3.1 Dynamic System Variables

Beginning with MySQL 4.0.3, many server system variables are dynamic and can be set at runtime using SET GLOBAL or SET SESSION. You can also select their values using SELECT. See section 10.4 System Variables.

The following table shows the full list of all dynamic system variables. The last column indicates for each variable whether GLOBAL or SESSION (or both) apply.

Variable Name Value Type Type
autocommit boolean SESSION
big_tables boolean SESSION
binlog_cache_size numeric GLOBAL
bulk_insert_buffer_size numeric GLOBAL | SESSION
character_set_client string GLOBAL | SESSION
character_set_connection string GLOBAL | SESSION
character_set_results string GLOBAL | SESSION
character_set_server string GLOBAL | SESSION
collation_connection string GLOBAL | SESSION
collation_server string GLOBAL | SESSION
concurrent_insert boolean GLOBAL
connect_timeout numeric GLOBAL
convert_character_set string GLOBAL | SESSION
default_week_format numeric GLOBAL | SESSION
delay_key_write OFF | ON | ALL GLOBAL
delayed_insert_limit numeric GLOBAL
delayed_insert_timeout numeric GLOBAL
delayed_queue_size numeric GLOBAL
error_count numeric SESSION
flush boolean GLOBAL
flush_time numeric GLOBAL
foreign_key_checks boolean SESSION
ft_boolean_syntax numeric GLOBAL
group_concat_max_len numeric GLOBAL | SESSION
identity numeric SESSION
insert_id boolean SESSION
interactive_timeout numeric GLOBAL | SESSION
join_buffer_size numeric GLOBAL | SESSION
key_buffer_size numeric GLOBAL
last_insert_id numeric SESSION
local_infile boolean GLOBAL
log_warnings boolean GLOBAL
long_query_time numeric GLOBAL | SESSION
low_priority_updates boolean GLOBAL | SESSION
max_allowed_packet numeric GLOBAL | SESSION
max_binlog_cache_size numeric GLOBAL
max_binlog_size numeric GLOBAL
max_connect_errors numeric GLOBAL
max_connections numeric GLOBAL
max_delayed_threads numeric GLOBAL
max_error_count numeric GLOBAL | SESSION
max_heap_table_size numeric GLOBAL | SESSION
max_insert_delayed_threads numeric GLOBAL
max_join_size numeric GLOBAL | SESSION
max_relay_log_size numeric GLOBAL
max_seeks_for_key numeric GLOBAL | SESSION
max_sort_length numeric GLOBAL | SESSION
max_tmp_tables numeric GLOBAL
max_user_connections numeric GLOBAL
max_write_lock_count numeric GLOBAL
myisam_max_extra_sort_file_size numeric GLOBAL | SESSION
myisam_max_sort_file_size numeric GLOBAL | SESSION
myisam_repair_threads numeric GLOBAL | SESSION
myisam_sort_buffer_size numeric GLOBAL | SESSION
net_buffer_length numeric GLOBAL | SESSION
net_read_timeout numeric GLOBAL | SESSION
net_retry_count numeric GLOBAL | SESSION
net_write_timeout numeric GLOBAL | SESSION
query_alloc_block_size numeric GLOBAL | SESSION
query_cache_limit numeric GLOBAL
query_cache_size numeric GLOBAL
query_cache_type enumeration GLOBAL | SESSION
query_cache_wlock_invalidate boolean GLOBAL | SESSION
query_prealloc_size numeric GLOBAL | SESSION
range_alloc_block_size numeric GLOBAL | SESSION
read_buffer_size numeric GLOBAL | SESSION
read_only numeric GLOBAL
read_rnd_buffer_size numeric GLOBAL | SESSION
rpl_recovery_rank numeric GLOBAL
safe_show_database boolean GLOBAL
server_id numeric GLOBAL
slave_compressed_protocol boolean GLOBAL
slave_net_timeout numeric GLOBAL
slow_launch_time numeric GLOBAL
sort_buffer_size numeric GLOBAL | SESSION
sql_auto_is_null boolean SESSION
sql_big_selects boolean SESSION
sql_big_tables boolean SESSION
sql_buffer_result boolean SESSION
sql_log_bin boolean SESSION
sql_log_off boolean SESSION
sql_log_update boolean SESSION
sql_low_priority_updates boolean GLOBAL | SESSION
sql_max_join_size numeric GLOBAL | SESSION
sql_quote_show_create boolean SESSION
sql_safe_updates boolean SESSION
sql_select_limit boolean SESSION
sql_slave_skip_counter numeric GLOBAL
sql_warnings boolean SESSION
storage_engine enumeration GLOBAL | SESSION
table_cache numeric GLOBAL
table_type enumeration GLOBAL | SESSION
thread_cache_size numeric GLOBAL
timestamp boolean SESSION
tmp_table_size enumeration GLOBAL | SESSION
transaction_alloc_block_size numeric GLOBAL | SESSION
transaction_prealloc_size numeric GLOBAL | SESSION
tx_isolation enumeration GLOBAL | SESSION
unique_checks boolean SESSION
wait_timeout numeric GLOBAL | SESSION
warning_count numeric SESSION

Variables that are marked as ``string'' take a string value. Variables that are marked as ``numeric'' take a numeric value. Variables that are marked as ``boolean' can be set to 0, 1, ON or OFF. Variables that are marked as ``enumeration'' normally should be set to one of the available values for the variable, but can also be set to the number that corresponds to the desired enumeration value. For enumeration-valued system variables, the The first enumeration value corresponds to 0. This differs from ENUM columns, for which the first enumeration value corresponds to 1.

5.2.4 Server Status Variables

The server maintains many status variables the provide information about its operations. You can view these variables and their values by using the SHOW STATUS statement:

mysql> SHOW STATUS;
+--------------------------+------------+
| Variable_name            | Value      |
+--------------------------+------------+
| Aborted_clients          | 0          |
| Aborted_connects         | 0          |
| Bytes_received           | 155372598  |
| Bytes_sent               | 1176560426 |
| Connections              | 30023      |
| Created_tmp_disk_tables  | 0          |
| Created_tmp_files        | 60         |
| Created_tmp_tables       | 8340       |
| Delayed_errors           | 0          |
| Delayed_insert_threads   | 0          |
| Delayed_writes           | 0          |
| Flush_commands           | 1          |
| Handler_delete           | 462604     |
| Handler_read_first       | 105881     |
| Handler_read_key         | 27820558   |
| Handler_read_next        | 390681754  |
| Handler_read_prev        | 6022500    |
| Handler_read_rnd         | 30546748   |
| Handler_read_rnd_next    | 246216530  |
| Handler_update           | 16945404   |
| Handler_write            | 60356676   |
| Key_blocks_used          | 14955      |
| Key_read_requests        | 96854827   |
| Key_reads                | 162040     |
| Key_write_requests       | 7589728    |
| Key_writes               | 3813196    |
| Max_used_connections     | 0          |
| Not_flushed_delayed_rows | 0          |
| Not_flushed_key_blocks   | 0          |
| Open_files               | 2          |
| Open_streams             | 0          |
| Open_tables              | 1          |
| Opened_tables            | 44600      |
| Qcache_free_blocks       | 36         |
| Qcache_free_memory       | 138488     |
| Qcache_hits              | 79570      |
| Qcache_inserts           | 27087      |
| Qcache_lowmem_prunes     | 3114       |
| Qcache_not_cached        | 22989      |
| Qcache_queries_in_cache  | 415        |
| Qcache_total_blocks      | 912        |
| Questions                | 2026873    |
| Select_full_join         | 0          |
| Select_full_range_join   | 0          |
| Select_range             | 99646      |
| Select_range_check       | 0          |
| Select_scan              | 30802      |
| Slave_open_temp_tables   | 0          |
| Slave_running            | OFF        |
| Slow_launch_threads      | 0          |
| Slow_queries             | 0          |
| Sort_merge_passes        | 30         |
| Sort_range               | 500        |
| Sort_rows                | 30296250   |
| Sort_scan                | 4650       |
| Table_locks_immediate    | 1920382    |
| Table_locks_waited       | 0          |
| Threads_cached           | 0          |
| Threads_connected        | 1          |
| Threads_created          | 30022      |
| Threads_running          | 1          |
| Uptime                   | 80380      |
+--------------------------+------------+

Many status variables are reset to 0 by the FLUSH STATUS statement.

The status variables have the following meanings. The Com_xxx statement counter variable were added beginning with MySQL 3.23.47. The Qcache_xxx query cache variables were added beginning with MySQL 4.0.1. Otherwise, variables with no version indicated have been present since at least MySQL 3.22.

Aborted_clients
The number of connections that were aborted because the client died without closing the connection properly. See section A.2.11 Communication Errors / Aborted Connection.
Aborted_connects
The number of tries to connect to the MySQL server that failed. See section A.2.11 Communication Errors / Aborted Connection.
Binlog_cache_use
The number of transactions that used the temporary binary log cache. This variable was added in MySQL 4.1.2.
Binlog_cache_disk_use
The number of transactions that used the temporary binary log cache but that exceeded the value of binlog_cache_size and used a temporary file to store statements from the transaction. This variable was added in MySQL 4.1.2.
Bytes_received
The number of bytes received from all clients. This variable was added in MySQL 3.23.7.
Bytes_sent
The number of bytes sent to all clients. This variable was added in MySQL 3.23.7.
Com_xxx
The number of times each xxx statement has been executed. There is one status variable for each type of statement. For example, Com_delete and Com_insert count DELETE and INSERT statements.
Connections
The number of connection attempts (successful or not) to the MySQL server.
Created_tmp_disk_tables
The number of temporary tables on disk created automatically by the server while executing statements. This variable was added in MySQL 3.23.24.
Created_tmp_files
How many temporary files mysqld has created. This variable was added in MySQL 3.23.28.
Created_tmp_tables
The number of in-memory temporary tables created automatically by the server while executing statements. If Created_tmp_disk_tables is big, you may want to increase the tmp_table_size value to cause temporary tables to be memory-based instead of disk-based.
Delayed_errors
The number of rows written with INSERT DELAYED for which some error occurred (probably duplicate key).
Delayed_insert_threads
The number of INSERT DELAYED handler threads in use.
Delayed_writes
The number of INSERT DELAYED rows written.
Flush_commands
The number of executed FLUSH statements.
Handler_commit
The number of internal COMMIT statements. This variable was added in MySQL 4.0.2.
Handler_delete
The number of times a row was deleted from a table.
Handler_read_first
The number of times the first entry was read from an index. If this is high, it suggests that the server is doing a lot of full index scans, for example, SELECT col1 FROM foo, assuming that col1 is indexed.
Handler_read_key
The number of requests to read a row based on a key. If this is high, it is a good indication that your queries and tables are properly indexed.
Handler_read_next
The number of requests to read the next row in key order. This will be incremented if you are querying an index column with a range constraint or if you are doing an index scan.
Handler_read_prev
The number of requests to read the previous row in key order. This read method is mainly used to optimize ORDER BY ... DESC. This variable was added in MySQL 3.23.6.
Handler_read_rnd
The number of requests to read a row based on a fixed position. This will be high if you are doing a lot of queries that require sorting of the result. You probably have a lot of queries that require MySQL to scan whole tables or you have joins that don't use keys properly.
Handler_read_rnd_next
The number of requests to read the next row in the datafile. This will be high if you are doing a lot of table scans. Generally this suggests that your tables are not properly indexed or that your queries are not written to take advantage of the indexes you have.
Handler_rollback
The number of internal ROLLBACK statements. This variable was added in MySQL 4.0.2.
Handler_update
The number of requests to update a row in a table.
Handler_write
The number of requests to insert a row in a table.
Key_blocks_used
The number of used blocks in the key cache. You can use this value to determine how much of the key cache is in use; see the discussion of key_buffer_size in section 5.2.3 Server System Variables.
Key_read_requests
The number of requests to read a key block from the cache.
Key_reads
The number of physical reads of a key block from disk. If Key_reads is big, then your key_buffer_size value is probably too small. The cache miss rate can be calculated with Key_reads/Key_read_requests.
Key_write_requests
The number of requests to write a key block to the cache.
Key_writes
The number of physical writes of a key block to disk.
Max_used_connections
The maximum number of connections that have been in use simultaneously since the server started
Not_flushed_delayed_rows
The number of rows waiting to be written in INSERT DELAY queues.
Not_flushed_key_blocks
The number of key blocks in the key cache that have changed but haven't yet been flushed to disk.
Open_files
The number of files that are open.
Open_streams
The number of streams that are open (used mainly for logging).
Open_tables
The number of tables that are open.
Opened_tables
The number of tables that have been opened. If Opened_tables is big, your table_cache value is probably too small.
Qcache_free_blocks
Number of free memory blocks in query cache.
Qcache_free_memory
Amount of free memory for query cache.
Qcache_hits
Number of cache hits.
Qcache_inserts
Number of queries added to the cache.
Qcache_lowmem_prunes
Number of queries that were deleted from cache because of low memory.
Qcache_not_cached
Number of non-cached queries (not cachable, or due to query_cache_type).
Qcache_queries_in_cache
Number of queries registered in the cache.
Qcache_total_blocks
Total number of blocks in query cache.
Questions
The number of queries that have been sent to the server.
Rpl_status
Status of failsafe replication. (Not yet implemented).
Select_full_join
The number of joins that do not use indexes. If this value is not 0, you should carefully check the indexes of your tables. This variable was added in MySQL 3.23.25.
Select_full_range_join
The number of joins where we used a range search on reference table. This variable was added in MySQL 3.23.25.
Select_range
The number of joins where we used ranges on the first table. (It's normally not critical even if this is big.) This variable was added in MySQL 3.23.25.
Select_range_check
The number of joins without keys where we check for key usage after each row (If this is not 0, you should carefully check the indexes of your tables). This variable was added in MySQL 3.23.25.
Select_scan
The number of joins where we did a full scan of the first table. This variable was added in MySQL 3.23.25.
Slave_open_temp_tables
The number of temporary tables currently open by the slave SQL thread. This variable was added in MySQL 3.23.29.
Slave_running
Is ON if this is a slave that is connected to a master. This variable was added in MySQL 3.23.16.
Slow_launch_threads
The number of threads that have taken more than slow_launch_time to create. This variable was added in MySQL 3.23.15.
Slow_queries
The number of queries that have taken more than long_query_time seconds. See section 5.8.5 The Slow Query Log.
Sort_merge_passes
The number of merge passes the sort algorithm has had to do. If this value is large, you should consider increasing the value of the sort_buffer_size system variable. This variable was added in MySQL 3.23.28.
Sort_range
The number of sorts that were done with ranges. This variable was added in MySQL 3.23.25.
Sort_rows
The number of sorted rows. This variable was added in MySQL 3.23.25.
Sort_scan
The number of sorts that were done by scanning the table. This variable was added in MySQL 3.23.25.
Ssl_xxx
Variables used for SSL connections. These variables were added in MySQL 4.0.0.
Table_locks_immediate
The number of times a table lock was acquired immediately. This variable was added as of MySQL 3.23.33.
Table_locks_waited
The number of times a table lock could not be acquired immediately and a wait was needed. If this is high, and you have performance problems, you should first optimize your queries, and then either split your table or tables or use replication. This variable was added as of MySQL 3.23.33.
Threads_cached
The number of threads in the thread cache. This variable was added in MySQL 3.23.17.
Threads_connected
The number of currently open connections.
Threads_created
The number of threads created to handle connections. If Threads_created is big, you may want to increase the thread_cache_size value. The cache hit rate can be calculated with Threads_created/Connections. This variable was added in MySQL 3.23.31.
Threads_running
The number of threads that are not sleeping.
Uptime
The number of seconds the server has been up.

5.3 General Security Issues

This section describes some general security issues to be aware of and what you can do to make your MySQL installation more secure against attack or misuse. For information specifically about the access control system that MySQL uses for setting up user accounts and checking database access, see section 5.4 The MySQL Access Privilege System.

5.3.1 General Security Guidelines

Anyone using MySQL on a computer connected to the Internet should read this section to avoid the most common security mistakes.

In discussing security, we emphasize the necessity of fully protecting the entire server host (not just the MySQL server) against all types of applicable attacks: eavesdropping, altering, playback, and denial of service. We do not cover all aspects of availability and fault tolerance here.

MySQL uses security based on Access Control Lists (ACLs) for all connections, queries, and other operations that users can attempt to perform. There is also some support for SSL-encrypted connections between MySQL clients and servers. Many of the concepts discussed here are not specific to MySQL at all; the same general ideas apply to almost all applications.

When running MySQL, follow these guidelines whenever possible:

  • Do not ever give anyone (except MySQL root accounts) access to the user table in the mysql database! This is critical. The encrypted password is the real password in MySQL. Anyone who knows the password which is listed in the user table and has access to the host listed for the account can easily log in as that user.
  • Learn the MySQL access privilege system. The GRANT and REVOKE statements are used for controlling access to MySQL. Do not grant any more privileges than necessary. Never grant privileges to all hosts. Checklist:
    • Try mysql -u root. If you are able to connect successfully to the server without being asked for a password, you have problems. Anyone can connect to your MySQL server as the MySQL root user with full privileges! Review the MySQL installation instructions, paying particular attention to the item about setting a root password.
    • Use the SHOW GRANTS statement and check to see who has access to what. Then use the REVOKE statement to remove those privileges that are not necessary.
  • Do not store any plain-text passwords in your database. If your computer becomes compromised, the intruder can take the full list of passwords and use them. Instead, use MD5(), SHA1() or some other one-way hashing function.
  • Do not choose passwords from dictionaries. There are special programs to break them. Even passwords like ``xfish98'' are very bad. Much better is ``duag98'' which contains the same word ``fish'' but typed one key to the left on a standard QWERTY keyboard. Another method is to use ``Mhall'' which is taken from the first characters of each word in the sentence ``Mary had a little lamb.'' This is easy to remember and type, but difficult to guess for someone who does not know it.
  • Invest in a firewall. This protects you from at least 50% of all types of exploits in any software. Put MySQL behind the firewall or in a demilitarized zone (DMZ). Checklist:
    • Try to scan your ports from the Internet using a tool such as nmap. MySQL uses port 3306 by default. This port should not be accessible from untrusted hosts. Another simple way to check whether or not your MySQL port is open is to try the following command from some remote machine, where server_host is the host where your MySQL server runs:
      shell> telnet server_host 3306
      
      If you get a connection and some garbage characters, the port is open, and should be closed on your firewall or router, unless you really have a good reason to keep it open. If telnet just hangs or the connection is refused, everything is OK; the port is blocked.
  • Do not trust any data entered by users of your applications. They can try to trick your code by entering special or escaped character sequences in Web forms, URLs, or whatever application you have built. Be sure that your application remains secure if a user enters something like ``; DROP DATABASE mysql;''. This is an extreme example, but large security leaks and data loss might occur as a result of hackers using similar techniques, if you do not prepare for them. A common mistake is to protect only string data values. Remember to check numeric data as well. If an application generates a query such as SELECT * FROM table WHERE ID=234 when a user enters the value 234, the user can enter the value 234 OR 1=1 to cause the application to generate the query SELECT * FROM table WHERE ID=234 OR 1=1. As a result, the server retrieves every record in the table. This exposes every record and causes excessive server load. The simplest way to protect from this type of attack is to use apostrophes around the numeric constants: SELECT * FROM table WHERE ID='234'. If the user enters extra information, it all becomes part of the string. In numeric context, MySQL automatically converts this string to a number and strips any trailing non-numeric characters from it. Sometimes people think that if a database contains only publicly available data, it need not be protected. This is incorrect. Even if it is allowable to display any record in the database, you should still protect against denial of service attacks (for example, those that are based on the technique in the preceding paragraph that causes the server to waste resources). Otherwise, your server becomes unresponsive to legitimate users. Checklist:
    • Try to enter `'' and `"' in all your Web forms. If you get any kind of MySQL error, investigate the problem right away.
    • Try to modify any dynamic URLs by adding %22 (`"'), %23 (`#'), and %27 (`'') in the URL.
    • Try to modify datatypes in dynamic URLs from numeric ones to character ones containing characters from previous examples. Your application should be safe against this and similar attacks.
    • Try to enter characters, spaces, and special symbols rather than numbers in numeric fields. Your application should remove them before passing them to MySQL or else generate an error. Passing unchecked values to MySQL is very dangerous!
    • Check data sizes before passing them to MySQL.
    • Consider having your application connect to the database using a different username than the one you use for administrative purposes. Do not give your applications any access privileges they do not need.
  • Many application programming interfaces provide the means of escaping special characters in data values. Properly used, this prevents application users from entering values that cause the application to generate statements that have a different effect than you intend:
    • Users of PHP: Use the mysql_escape_string() function, which is based on the function of the same name in the MySQL C API. Prior to PHP 4.0.3, use addslashes() instead.
    • Users of MySQL C API: Use the mysql_real_escape_string() API call.
    • Users of MySQL++: Use the escape and quote modifiers for query streams.
    • Users of Perl DBI: Use the quote() method or use placeholders.
    • Users of Java JDBC: Use a PreparedStatement object and placeholders.
    Other programming interfaces might have similar capabilities.
  • Do not transmit plain (unencrypted) data over the Internet. This information is accessible to everyone who has the time and ability to intercept it and use it for their own purposes. Instead, use an encrypted protocol such as SSL or SSH. MySQL supports internal SSL connections as of Version 4.0.0. SSH port-forwarding can be used to create an encrypted (and compressed) tunnel for the communication.
  • Learn to use the tcpdump and strings utilities. For most cases, you can check whether MySQL data streams are unencrypted by issuing a command like the following:
    shell> tcpdump -l -i eth0 -w - src or dst port 3306 | strings
    
    (This works under Linux and should work with small modifications under other systems.) Warning: If you do not see plaintext data, this doesn't always mean that the information actually is encrypted. If you need high security, you should consult with a security expert.

5.3.2 Making MySQL Secure Against Attackers

When you connect to a MySQL server, you should use a password. The password is not transmitted in clear text over the connection. Password handling during the client connection sequence was upgraded in MySQL 4.1.1 to be very secure. If you are using an older version of MySQL, or are still using pre-4.1.1-style passwords, the encryption algorithm is less strong and with some effort a clever attacker that can sniff the traffic between the client and the server can crack the password. (See section 5.4.9 Password Hashing in MySQL 4.1 for a discussion of the different password handling methods.) If the connection between the client and the server goes through an untrusted network, you should use an SSH tunnel to encrypt the communication.

All other information is transferred as text that can be read by anyone who is able to watch the connection. If you are concerned about this, you can use the compressed protocol (in MySQL Version 3.22 and above) to make traffic much more difficult to decipher. To make the connection even more secure, you should use SSH to get an encrypted TCP/IP connection between a MySQL server and a MySQL client. You can find an Open Source SSH client at http://www.openssh.org/, and a commercial SSH client at http://www.ssh.com/.

If you are using MySQL 4.0 or newer, you can also use internal OpenSSL support. See section 5.5.8 Using Secure Connections.

To make a MySQL system secure, you should strongly consider the following suggestions:

  • Use passwords for all MySQL users. A client program does not necessarily know the identify of the person running it. It is common for client/server applications that the user can specify any username to the client program. For example, anyone can use the mysql program to connect as any other person simply by invoking it as mysql -u other_user db_name if other_user has no password. If all users have a password, connecting using another user's account becomes much more difficult. To change the password for a user, use the SET PASSWORD statement. It is also possible to update the user table in the mysql database directly. For example, to change the password of all MySQL accounts that have a username of root, do this:
    shell> mysql -u root mysql
    mysql> UPDATE user SET Password=PASSWORD('newpwd')
        -> WHERE User='root';
    mysql> FLUSH PRIVILEGES;
    
  • Don't run the MySQL server as the Unix root user. This is very dangerous, because any user with the FILE privilege will be able to create files as root (for example, ~root/.bashrc). To prevent this, mysqld refuses to run as root unless that is specified explicitly using a --user=root option. mysqld can be run as an ordinary unprivileged user instead. You can also create a separate Unix account named mysql to make everything even more secure (use the account only for administering MySQL). To start mysqld as another Unix user, add a user option that specifies the username to the [mysqld] group of the `/etc/my.cnf' option file or the `my.cnf' option file in the server's data directory. For example:
    [mysqld]
    user=mysql
    
    This causes the server to start as the designated user whether you start it manually or by using mysqld_safe or mysql.server. For more details, see section A.3.2 How to Run MySQL as a Normal User. Note that running mysql as a Unix user other than root does not mean that you need to change the root username in the user table. Usernames for MySQL accounts have nothing to do with usernames for Unix accounts.
  • Don't allow the use of symlinks to tables. (This can be disabled with the --skip-symlink option.) This is especially important if you run mysqld as root, because anyone that has write access to the server's data directory could then delete any file in the system! See section 7.6.1.2 Using Symbolic Links for Tables on Unix.
  • Make sure that the only Unix user with read or write privileges in the database directories is the user that mysqld runs as.
  • Don't grant the PROCESS privilege to non-administrative users. The output of mysqladmin processlist shows the text of the currently executing queries, so any user who is allowed to execute that command might be able to see if another user issues an UPDATE user SET password=PASSWORD('not_secure') query. mysqld reserves an extra connection for users who have the PROCESS privilege, so that a MySQL root user can log in and check server activity even if all normal connections are in use.
  • Don't grant the SUPER privilege to non-administrative users. It can be used to terminate client connections, change server operation by changing the value of system variables, and control replication servers.
  • Don't grant the FILE privilege to non-administrative users. Any user that has this privilege can write a file anywhere in the filesystem with the privileges of the mysqld daemon! To make this a bit safer, files generated with SELECT ... INTO OUTFILE will not overwrite existing files and are writable by everyone. The FILE privilege may also be used to read any file that is world-readable or accessible to the Unix user that the server runs as. With this privilege, you can read any file into a database table. This could be abused, for example, by using LOAD DATA to load `/etc/passwd' into a table, which then can be displayed with SELECT.
  • If you don't trust your DNS, you should use IP numbers rather than hostnames in the grant tables. In any case, you should be very careful about creating grant table entries using hostname values that contain wildcards!
  • If you want to restrict the number of connections allowed to a single account, you can do so by setting the max_user_connections variable in mysqld. The GRANT statement also supports resource control options for limiting the extent of server use allowed to an account.

5.3.3 Startup Options for mysqld Concerning Security

The following mysqld options affect security:

--local-infile[={0|1}]
If you start the server with --local-infile=0, clients cannot use LOCAL in LOAD DATA statements. See section 5.3.4 Security Issues with LOAD DATA LOCAL.
--safe-show-database
With this option, the SHOW DATABASES statement displays the names of only those databases for which the user has some kind of privilege. As of version 4.0.2, this option is deprecated and doesn't do anything (it is enabled by default), because there is now a SHOW DATABASES privilege that can be used to control access to database names on a per-account basis. See section 14.5.1.2 GRANT and REVOKE Syntax.
--safe-user-create
If this is enabled, a user cannot create new users with the GRANT statement unless the user has the INSERT privilege for the mysql.user table. If you want a user to have the ability to create new users with those privileges that the user has right to grant, you should grant the user the following privilege:
mysql> GRANT INSERT(user) ON mysql.user TO 'user'@'hostname';
This will ensure that the user can't change any privilege columns directly, but has to use the GRANT statement to give privileges to other users.
--skip-grant-tables
This option causes the server not to use the privilege system at all. This gives everyone full access to all databases! (You can tell a running server to start using the grant tables again by executing a mysqladmin flush-privileges or mysqladmin reload command, or by issuing a FLUSH PRIVILEGES statement.)
--skip-name-resolve
Hostnames are not resolved. All Host column values in the grant tables must be IP numbers or localhost.
--skip-networking
Don't allow TCP/IP connections over the network. All connections to mysqld must be made via Unix socket files. This option is unsuitable when using a MySQL version prior to 3.23.27 with the MIT-pthreads package, because Unix socket files were not supported by MIT-pthreads at that time.
--skip-show-database
Don't allow the SHOW DATABASES statement, unless the user has the SHOW DATABASES privilege. As of version 4.0.2, you should no longer need this option. Access now can be granted to specific accounts with the SHOW DATABASES privilege.

5.3.4 Security Issues with LOAD DATA LOCAL

The LOAD DATA statement can load a file that is located on the server host, or it can load a file that is located on the client host when the LOCAL keyword is specified.

There are two potential security issues with supporting the LOCAL version of LOAD DATA statements:

  • The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access.
  • In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to (assuming a user could run any command against the SQL server). In this environment, the client with respect to the MySQL server actually is the Web server, not the program being run by the user connecting to the Web server.

To deal with these problems, we changed how LOAD DATA LOCAL is handled as of MySQL 3.23.49 and MySQL 4.0.2 (4.0.13 on Windows):

  • By default, all MySQL clients and libraries in binary distributions are compiled with the --enable-local-infile option, to be compatible with MySQL 3.23.48 and before.
  • If you build MySQL from source but don't use the --enable-local-infile option to configure, LOAD DATA LOCAL cannot be used by any client unless it is written explicitly to invoke mysql_options(... MYSQL_OPT_LOCAL_INFILE, 0). See section 20.2.3.40 mysql_options().
  • You can disable all LOAD DATA LOCAL commands from the server side by starting mysqld with the --local-infile=0 option.
  • For the mysql command-line client, LOAD DATA LOCAL can be enabled by specifying the --local-infile[=1] option, or disabled with the --local-infile=0 option. Similarly, for mysqlimport, the --local or -L option enable local datafile loading. In any case, successful use of a local loading operation requires that the server is enabled to allow it.
  • If LOAD DATA LOCAL INFILE is disabled, either in the server or the client, a client that attempts to issue such a statement receives the following error message:
    ERROR 1148: The used command is not allowed with this MySQL version
    

5.4 The MySQL Access Privilege System

MySQL has an advanced but non-standard security/privilege system. This section describes how it works.

5.4.1 What the Privilege System Does

The primary function of the MySQL privilege system is to authenticate a user connecting from a given host, and to associate that user with privileges on a database such as SELECT, INSERT, UPDATE and DELETE.

Additional functionality includes the ability to have an anonymous user and to grant privileges for MySQL-specific functions such as LOAD DATA INFILE and administrative operations.

5.4.2 How the Privilege System Works

The MySQL privilege system ensures that all users may perform only the operations allowed to them. As a user, when you connect to a MySQL server, your identity is determined by the host from which you connect and the username you specify. The system grants privileges according to your identity and what you want to do.

MySQL considers both your hostname and username in identifying you because there is little reason to assume that a given username belongs to the same person everywhere on the Internet. For example, the user joe who connects from office.com need not be the same person as the user joe who connects from elsewhere.com. MySQL handles this by allowing you to distinguish users on different hosts that happen to have the same name: you can grant joe one set of privileges for connections from office.com, and a different set of privileges for connections from elsewhere.com.

MySQL access control involves two stages:

  • Stage 1: The server checks whether you are even allowed to connect.
  • Stage 2: Assuming you can connect, the server checks each statement you issue to see whether you have sufficient privileges to perform it. For example, if you try to select rows from a table in a database or drop a table from the database, the server verifies that you have the SELECT privilege for the table or the DROP privilege for the database.

Note that if your privileges are changed (either by yourself or someone else) while you are connected, those changes will not necessarily take effect immediately for the next statement you issue. See section 5.4.7 When Privilege Changes Take Effect for details.

The server stores privilege information in the grant tables of the mysql database (that is, in the database named mysql). The MySQL server reads the contents of these tables into memory when it starts and re-reads them under the circumstances indicated in section 5.4.7 When Privilege Changes Take Effect. Access-control decisions are based on the in-memory copies of the grant tables.

Normally, you manipulate the contents of the grant tables indirectly by using the GRANT and REVOKE statements to set up accounts and control the privileges available to each one. See section 14.5.1.2 GRANT and REVOKE Syntax. The discussion here describes the underlying structure of the grant tables and how the server uses their contents when interacting with clients.

The server uses the user, db, and host tables in the mysql database at both stages of access control. The columns in these grant tables are shown here:

Table Name user db host
Scope columns Host Host Host
User Db Db
Password User
Privilege columns Select_priv Select_priv Select_priv
Insert_priv Insert_priv Insert_priv
Update_priv Update_priv Update_priv
Delete_priv Delete_priv Delete_priv
Index_priv Index_priv Index_priv
Alter_priv Alter_priv Alter_priv
Create_priv Create_priv Create_priv
Drop_priv Drop_priv Drop_priv
Grant_priv Grant_priv Grant_priv
References_priv References_priv References_priv
Reload_priv
Shutdown_priv
Process_priv
File_priv
Show_db_priv
Super_priv
Create_tmp_table_priv Create_tmp_table_priv Create_tmp_table_priv
Lock_tables_priv Lock_tables_priv Lock_tables_priv
Execute_priv
Repl_slave_priv
Repl_client_priv
ssl_type
ssl_cipher
x509_issuer
x509_subject
max_questions
max_updates
max_connections

During the second stage of access control (request verification), the server may, if the request involves tables, additionally consult the tables_priv and columns_priv tables that provide finer control at the table and column levels. The columns in these tables are shown here:

Table Name tables_priv columns_priv
Scope columns Host Host
Db Db
User User
Table_name Table_name
Column_name
Privilege columns Table_priv Column_priv
Column_priv
Other columns Timestamp Timestamp
Grantor

The Timestamp and Grantor columns currently are unused and are discussed no further here.

Each grant table contains scope columns and privilege columns:

  • Scope columns determine the scope of each entry (row) in the tables, that is, the context in which the entry applies. For example, a user table entry with Host and User values of 'thomas.loc.gov' and 'bob' would be used for authenticating connections made to the server from the host thomas.loc.gov by a client that specifies a username of bob. Similarly, a db table entry with Host, User, and Db column values of 'thomas.loc.gov', 'bob' and 'reports' would be used when bob connects from the host thomas.loc.gov to access the reports database. The tables_priv and columns_priv tables contain scope columns indicating tables or table/column combinations to which each entry applies.
  • Privilege columns indicate the privileges granted by a table entry, that is, what operations can be performed. The server combines the information in the various grant tables to form a complete description of a user's privileges. The rules used to do this are described in section 5.4.6 Access Control, Stage 2: Request Verification.

Scope columns contain strings. They are declared as shown here; the default value for each is the empty string:

Column Name Type
Host CHAR(60)
User CHAR(16)
Password CHAR(16)
Db CHAR(64)
Table_name CHAR(60)
Column_name CHAR(60)

Before MySQL 3.23, the Db column is CHAR(32) in some tables and CHAR(60) in others.

For access-checking purposes, comparisons of Host values are case-insensitive. User, Password, Db, and Table_name values are case-sensitive. Column_name values are case-insensitive in MySQL Version 3.22.12 or later.

In the user, db, and host tables, each privilege is listed in a separate column that is declared as ENUM('N','Y') DEFAULT 'N'. In other words, each privilege can disabled or enabled, with the default being disabled.

In the tables_priv and columns_priv tables, the privilege columns are declared as SET columns. Values in these columns can contain any combination of the privileges controlled by the table:

Table Name Column Name Possible Set Elements
tables_priv Table_priv 'Select', 'Insert', 'Update', 'Delete', 'Create', 'Drop', 'Grant', 'References', 'Index', 'Alter'
tables_priv Column_priv 'Select', 'Insert', 'Update', 'References'
columns_priv Column_priv 'Select', 'Insert', 'Update', 'References'

Briefly, the server uses the grant tables as follows:

  • The user table scope columns determine whether to reject or allow incoming connections. For allowed connections, any privileges granted in the user table indicate the user's global (superuser) privileges. These privileges apply to all databases on the server.
  • The db table scope columns determine which users can access which databases from which hosts. The privilege columns determine which operations are allowed. A privilege granted at the database level applies to the database and to all its tables.
  • The host table is used in conjunction with the db table when you want a given db table entry to apply to several hosts. For example, if you want a user to be able to use a database from several hosts in your network, leave the Host value empty in the user's db table entry, then populate the host table with an entry for each of those hosts. This mechanism is described more detail in section 5.4.6 Access Control, Stage 2: Request Verification. Note: The host table is not affected by the GRANT and REVOKE statements. Most MySQL installations need not use this table at all.
  • The tables_priv and columns_priv tables are similar to the db table, but are more fine-grained: They apply at the table and column levels rather than at the database level. A privilege granted at the table level applies to the table and to all its columns. A privilege granted at the column level applies only to a specific column.

Administrative privileges (such as RELOAD or SHUTDOWN) are specified only in the user table. This is because administrative operations are operations on the server itself and are not database-specific, so there is no reason to list these privileges in the other grant tables. In fact, to determine whether you can perform an administrative operation, the server need consult only the user table.

The FILE privilege also is specified only in the user table. It is not an administrative privilege as such, but your ability to read or write files on the server host is independent of the database you are accessing.

The mysqld server reads the contents of the grant tables into memory when it starts. You can tell it to re-read the tables by issuing a FLUSH PRIVILEGES statement or executing a mysqladmin flush-privileges or mysqladmin reload command. Changes to the grant tables take effect as indicated in section 5.4.7 When Privilege Changes Take Effect.

When you modify the contents of the grant tables, it is a good idea to make sure that your changes set up privileges the way you want. One way to check the privileges for a given account is to use the SHOW GRANTS statement. For example, to determine the privileges that are granted to an account with Host and User values of pc84.example.com and bob, issue this statement:

mysql> SHOW GRANTS FOR 'bob'@'pc84.example.com';

A useful diagnostic tool is the mysqlaccess script, which Yves Carlier has provided for the MySQL distribution. Invoke mysqlaccess with the --help option to find out how it works. Note that mysqlaccess checks access using only the user, db and host tables. It does not check table or column privileges specified in the tables_priv or columns_priv tables.

For additional help in diagnosing privilege-related problems, see section 5.4.8 Causes of Access denied Errors. For general advice on security issues, see section 5.3 General Security Issues.

5.4.3 Privileges Provided by MySQL

Information about account privileges is stored in the user, db, host, tables_priv, and columns_priv tables in the mysql database. The MySQL server reads the contents of these tables into memory when it starts and re-reads them under the circumstances indicated in section 5.4.7 When Privilege Changes Take Effect. Access-control decisions are based on the in-memory copies of the grant tables.

The names used in this manual to refer to the privileges provided by MySQL are shown in the following table, along with the table column name associated with each privilege in the grant tables and the context in which the privilege applies. Further information about the meaning of each privilege may be found at section 14.5.1.2 GRANT and REVOKE Syntax.

Privilege Column Context
ALTER Alter_priv tables
DELETE Delete_priv tables
INDEX Index_priv tables
INSERT Insert_priv tables
SELECT Select_priv tables
UPDATE Update_priv tables
CREATE Create_priv databases, tables, or indexes
DROP Drop_priv databases or tables
GRANT Grant_priv databases or tables
REFERENCES References_priv databases or tables
CREATE TEMPORARY TABLES Create_tmp_table_priv server administration
EXECUTE Execute_priv server administration
FILE File_priv file access on server host
LOCK TABLES Lock_tables_priv server administration
PROCESS Process_priv server administration
RELOAD Reload_priv server administration
REPLICATION CLIENT Repl_client_priv server administration
REPLICATION SLAVE Repl_slave_priv server administration
SHOW DATABASES Show_db_priv server administration
SHUTDOWN Shutdown_priv server administration
SUPER Super_priv server administration

The CREATE TEMPORARY TABLES, EXECUTE, LOCK TABLES, REPLICATION CLIENT, REPLICATION SLAVE, SHOW DATABASES, and SUPER privileges were added in MySQL 4.0.2.

The EXECUTE and REFERENCES privileges currently are unused.

The SELECT, INSERT, UPDATE, and DELETE privileges allow you to perform operations on rows in existing tables in a database.

SELECT statements require the SELECT privilege only if they actually retrieve rows from a table. Some SELECT statements do not access tables and can be executed without permission for any database. For example, you can use the mysql client as a simple calculator to evaluate expressions that make no reference to tables:

mysql> SELECT 1+1;
mysql> SELECT PI()*2;

The CREATE and DROP privileges allow you to create new databases and tables, or to drop (remove) existing databases and tables. Note that if you grant the DROP privilege for the mysql database to a user, that user can drop the database in which the MySQL access privileges are stored!

The INDEX privilege allows you to create or drop (remove) indexes. Note that INDEX applies to existing tables. If you have the CREATE privilege for a table, you can include index definitions in the CREATE TABLE statement.

The ALTER privilege allows you to use ALTER TABLE to change the structure of or rename tables.

The GRANT privilege allows you to give to other users those privileges you yourself possess.

The FILE privilege gives you permission to read and write files on the server host using the LOAD DATA INFILE and SELECT ... INTO OUTFILE statements. A user who has the FILE privilege can read any file on the server host that is either world-readable or readable by the MySQL server. (Note that this implies the user can read any file in any database directory, because the server can access any of those files.) The FILE privilege also allows the user to create new files in any directory where the MySQL server has write access. (Existing files cannot be overwritten.)

The remaining privileges are used for administrative operations. Many of them can be performed by using using the mysqladmin program or by issuing SQL statements. The following table shows which mysqladmin commands each administrative privilege allows you to execute:

Privilege Commands Permitted to Privilege Holders
RELOAD flush-hosts, flush-logs, flush-privileges, flush-status, flush-tables, flush-threads, refresh, and reload
SHUTDOWN shutdown
PROCESS processlist
SUPER kill

The reload command tells the server to re-read the grant tables into memory. flush-privileges is a synonym for reload. The refresh command closes and reopens the log files and flushes all tables. The other flush-* commands perform functions similar to refresh but are more specific and may be preferable in some instances. For example, if you want to flush just the log files, flush-logs is a better choice than refresh.

The shutdown command shuts down the server. This command can be issued only from mysqladmin. There is no corresponding SQL statement.

The processlist command displays information about the threads executing within the server (that is, about the statements being executed by clients associated with other accounts). The kill command terminates server threads. You can always display or kill your own threads, but you need the PROCESS privilege to display threads initiated by other users and and the SUPER privilege to kill them. See section 14.5.4.3 KILL Syntax. Prior to MySQL 4.0.2 when SUPER was introduced, the PROCESS privilege controls the ability to both see and terminate threads for other clients.

The CREATE TEMPORARY TABLES privilege allows the use of the keyword TEMPORARY in CREATE TABLE statements.

The LOCK TABLES privilege allows the use of explicit LOCK TABLES statements to lock tables for which you have the SELECT privilege. This includes the use of write locks, which prevents anyone else from reading the locked table.

The REPLICATION CLIENT privilege allows the use of SHOW MASTER STATUS and SHOW SLAVE STATUS.

The REPLICATION SLAVE privilege should be granted to accounts that are used by slave servers when they connect to the current server as their master. Without this privilege, the slave cannot request updates that have been made to databases on the master server.

The SHOW DATABASES privilege allows the account to see database names by issuing the SHOW DATABASE statement.

It is a good idea in general to grant privileges only to those accounts that need them, but you should exercise particular caution in granting administrative privileges:

  • The GRANT privilege allows users to give their privileges to other users. Two users with different privileges and with the GRANT privilege are able to combine privileges.
  • The ALTER privilege may be used to subvert the privilege system by renaming tables.
  • The FILE privilege can be abused to read into a database table any files that the MySQL server can read on the server host. This includes all world-readable files and files in the server's data directory. The table can then be accessed using SELECT to transfer its contents to the client host.
  • The SHUTDOWN privilege can be abused to deny service to other users entirely by terminating the server.
  • The PROCESS privilege can be used to view the plain text of currently executing queries, including queries that set or change passwords.
  • The SUPER privilege can be used to terminate other clients or change how the server operates.
  • Privileges granted for the mysql database itself can be used to change passwords and other access privilege information. Passwords are stored encrypted, so a malicious user cannot simply read them to know the plain text password. However, a user with write access to the user table Password column can change an account's password, and then connect to the MySQL server using that account.

There are some things that you cannot do with the MySQL privilege system:

  • You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly match a user and then refuse the connection.
  • You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.

5.4.4 Connecting to the MySQL Server

MySQL client programs generally expect you to specify connection parameters when you want to access a MySQL server:

  • The name of the host where the MySQL server is running
  • Your username
  • Your password

For example, the mysql client can be started as follows from a command-line prompt (indicated here by shell>):

shell> mysql -h host_name -u user_name -pyour_pass

Alternate forms of the -h, -u, and -p options are --host=host_name, --user=user_name, and --password=your_pass. Note that there is no space between -p or --password= and the password following it.

If you use a -p or --password option but do not specify the password value, the client program will prompt you to enter the password. The password is not displayed as you enter it. This is more secure than giving the password on the command line. Any user on your system may be able to see a password specified on the command line by executing a command such as ps auxww. See section 5.5.7 Keeping Your Password Secure.

MySQL client programs use default values for any connection parameter option that you do not specify:

  • The default hostname is localhost.
  • The default username is ODBC on Windows and your Unix login name on Unix.
  • No password is supplied if -p is missing.

Thus, for a Unix user with a login name of joe, all of the following commands are equivalent:

shell> mysql -h localhost -u joe
shell> mysql -h localhost
shell> mysql -u joe
shell> mysql

Other MySQL clients behave similarly.

You can specify different default values to be used when you make a connection, so that you need not enter them on the command line each time you invoke a client program. This can be done in a couple of ways:

  • You can specify connection parameters in the [client] section of an option file. The relevant section of the file might look like this:
    [client]
    host=host_name
    user=user_name
    password=your_pass
    
    Option files are discussed further in section 4.3.2 Using Option Files.
  • You can specify some connection parameters using environment variables. The host can be specified for mysql using MYSQL_HOST. The MySQL username can be specified using USER (this is for Windows and NetWare only). The password can be specified using MYSQL_PWD, although this is insecure; see section 5.5.7 Keeping Your Password Secure. For a list of variables, see section E Environment Variables.

5.4.5 Access Control, Stage 1: Connection Verification

When you attempt to connect to a MySQL server, the server accepts or rejects the connection based on your identity and whether you can verify your identity by supplying the correct password. If not, the server denies access to you completely. Otherwise, the server accepts the connection, then enters Stage 2 and waits for requests.

Your identity is based on two pieces of information:

  • The client host from which you connect
  • Your MySQL username

Identity checking is performed using the three user table scope columns (Host, User, and Password). The server accepts the connection only if the Host and User columns in some user table record match the client hostname and username, and the client supplies the password specified in that record.

Host values in the user table may be specified as follows:

  • A Host value may be a hostname or an IP number, or 'localhost' to indicate the local host.
  • You can use the wildcard characters `%' and `_' in Host column values. These have the same meaning as for pattern-matching operations performed with the LIKE operator. For example, a Host value of '%' matches any hostname, whereas a value of '%.mysql.com' matches any host in the mysql.com domain.
  • As of MySQL Version 3.23, for Host values specified as IP numbers, you can specify a netmask indicating how many address bits to use for the network number. For example:
    mysql> GRANT ALL PRIVILEGES ON db.*
        -> TO david@'192.58.197.0/255.255.255.0';
    
    This allows david to connect from any client host having an IP number client_ip for which the following condition is true:
    client_ip & netmask = host_ip
    
    That is, for the GRANT statement just shown:
    client_ip & 255.255.255.0 = 192.58.197.0
    
    IP numbers that satisfy this condition and can connect to the MySQL server are those that lie in the range from 192.58.197.0 to 192.58.197.255.
  • A blank Host value in a db table record means that its privileges should be combined with those in the entry in the host table that matches the client hostname. The privileges are combined using an AND (intersection) operation, not OR (union). You can find more information about the host table in section 5.4.6 Access Control, Stage 2: Request Verification. A blank Host value in the other grant tables is the same as '%'.

Because you can use IP wildcard values in the Host column (for example, '144.155.166.%' to match every host on a subnet), someone could try to exploit this capability by naming a host 144.155.166.somewhere.com. To foil such attempts, MySQL disallows matching on hostnames that start with digits and a dot. Thus, if you have a host named something like 1.2.foo.com, its name will never match the Host column of the grant tables. An IP wildcard value can match only IP numbers, not hostnames.

In the User column, wildcard characters are not allowed, but you can specify a blank value, which matches any name. If the user table entry that matches an incoming connection has a blank username, the user is considered to be an anonymous user with no name, not a user with the name that the client actually specified. This means that a blank username is used for all further access checking for the duration of the connection (that is, during Stage 2).

The Password column can be blank. This is not a wildcard and does not mean that any password matches. It means that the user must connect without specifying a password.

Non-blank Password values in the user table represent encrypted passwords. MySQL does not store passwords in plaintext form for anyone to see. Rather, the password supplied by a user who is attempting to connect is encrypted (using the PASSWORD() function). The encrypted password then is used during the connection process when checking whether the password is correct. (This is done without the encrypted password ever traveling over the connection.) Note that from MySQL's point of view the encrypted password is the REAL password, so you should not give anyone access to it! In particular, don't give non-administrative users read access to the tables in the mysql database!

From version 4.1 on, MySQL employs a stronger authentication method that has better password protection during the connection process than in earlier versions. It is secure even if TCP/IP packets are sniffed or the mysql database is captured. Password encryption is discussed further in section 5.4.9 Password Hashing in MySQL 4.1.

The following examples show how various combinations of Host and User values in the user table apply to incoming connections:

Host Value User Value Connections Matched by Entry
'thomas.loc.gov' 'fred' fred, connecting from thomas.loc.gov
'thomas.loc.gov' '' Any user, connecting from thomas.loc.gov
'%' 'fred' fred, connecting from any host
'%' '' Any user, connecting from any host
'%.loc.gov' 'fred' fred, connecting from any host in the loc.gov domain
'x.y.%' 'fred' fred, connecting from x.y.net, x.y.com,x.y.edu, etc. (this is probably not useful)
'144.155.166.177' 'fred' fred, connecting from the host with IP address 144.155.166.177
'144.155.166.%' 'fred' fred, connecting from any host in the 144.155.166 class C subnet
'144.155.166.0/255.255.255.0' 'fred' Same as previous example

It is possible for the client hostname and username of an incoming connection to match more than one entry in the user table. The preceding set of examples demonstrates this: Several of the entries shown match a connection from thomas.loc.gov by fred.

When multiple matches are possible, the server must determine which of them to use. It resolves this issue as follows:

  • Whenever the server reads the user table into memory, it sorts the entries.
  • When a client attempts to connect, the server looks through the entries in sorted order.
  • The server uses the first entry that matches the client hostname and username.

To see how this works, suppose that the user table looks like this:

+-----------+----------+-
| Host      | User     | ...
+-----------+----------+-
| %         | root     | ...
| %         | jeffrey  | ...
| localhost | root     | ...
| localhost |          | ...
+-----------+----------+-

When the server reads in the table, it orders the entries with the most-specific Host values first. Literal hostnames and IP numbers are the most specific. The pattern '%' means ``any host'' and is least specific. Entries with the same Host value are ordered with the most-specific User values first (a blank User value means ``any user'' and is least specific). For the user table just shown, the result after sorting looks like this:

+-----------+----------+-
| Host      | User     | ...
+-----------+----------+-
| localhost | root     | ...
| localhost |          | ...
| %         | jeffrey  | ...
| %         | root     | ...
+-----------+----------+-

When a client attempts to connect, the server looks through the sorted entries and uses the first match found. For a connection from localhost by jeffrey, two of the entries in the table match: The one with Host and User values of 'localhost' and '', and the one with values of '%' and 'jeffrey'. The 'localhost' entry appears first in sorted order, so that is the one the server uses.

Here is another example. Suppose that the user table looks like this:

+----------------+----------+-
| Host           | User     | ...
+----------------+----------+-
| %              | jeffrey  | ...
| thomas.loc.gov |          | ...
+----------------+----------+-

The sorted table looks like this:

+----------------+----------+-
| Host           | User     | ...
+----------------+----------+-
| thomas.loc.gov |          | ...
| %              | jeffrey  | ...
+----------------+----------+-

A connection by jeffrey from thomas.loc.gov is matched by the first entry, whereas a connection by jeffrey from whitehouse.gov is matched by the second.

It is a common misconception to think that for a given username, all entries that explicitly name that user will be used first when the server attempts to find a match for the connection. This is simply not true. The previous example illustrates this, where a connection from thomas.loc.gov by jeffrey is first matched not by the entry containing 'jeffrey' as the User column value, but by the entry with no username! (As a result, jeffrey will be authenticated as an anonymous user, even though he specified a username when connecting.)

If you are able to connect to the server, but your privileges are not what you expect, you probably are being authenticated as some other account. To find out what account the server used to authenticate you, use the CURRENT_USER() function. It returns a value in user_name@host_name format that indicates the User and Host values from the matching user table record. Suppose that jeffrey connects and issues the following query:

mysql> SELECT CURRENT_USER();
+----------------+
| CURRENT_USER() |
+----------------+
| @localhost     |
+----------------+

The result shown here indicates that the matching user table entry had a blank User column value. In other words, the server is treating jeffrey as an anonymous user.

The CURRENT_USER() function is available as of MySQL 4.0.6. See section 13.8.3 Information Functions. Another thing you can do to diagnose authentication problems is to print out the user table and sort it by hand to see where the first match is being made.

5.4.6 Access Control, Stage 2: Request Verification

Once you establish a connection, the server enters Stage 2 of access control. For each request that comes in on the connection, the server determines what operation you want to perform, then checks whether you have sufficient privileges to do so. This is where the privilege columns in the grant tables come into play. These privileges can come from any of the user, db, host, tables_priv, or columns_priv tables. (You may find it helpful to refer to section 5.4.2 How the Privilege System Works, which lists the columns present in each of the grant tables.)

The user table grants privileges that are assigned to you on a global basis and that apply no matter what the current database is. For example, if the user table grants you the DELETE privilege, you can delete rows from any database on the server host! In other words, user table privileges are superuser privileges. It is wise to grant privileges in the user table only to superusers such as database administrators. For other users, you should leave the privileges in the user table set to 'N' and grant privileges at more specific levels only. You can grant privileges for particular databases, tables, or columns.

The db and host tables grant database-specific privileges. Values in the scope columns of these tables can take the following forms:

  • The wildcard characters `%' and `_' can be used in the Host and Db columns of either table. These have the same meaning as for pattern-matching operations performed with the LIKE operator. If you want to use either character literally when granting privileges, you must escape it with a backslash. For example, to include `_' character as part of a database name, specify it as `\_' in the GRANT statement.
  • A '%' Host value in the db table means ``any host.'' A blank Host value in the db table means ``consult the host table for further information'' (a process that is described later in this section).
  • A '%' or blank Host value in the host table means ``any host.''
  • A '%' or blank Db value in either table means ``any database.''
  • A blank User value in either table matches the anonymous user.

The server reads in and sorts the db and host tables at the same time that it reads the user table. The server sorts the db table based on the Host, Db, and User scope columns, and sorts the host table based on the Host and Db scope columns. As with the user table, sorting puts the most-specific values first and least-specific values last, and when the server looks for matching entries, it uses the first match that it finds.

The tables_priv and columns_priv tables grant table-specific and column-specific privileges. Values in the scope columns of these tables can take the following form:

  • The wildcard characters `%' and `_' can be used in the Host column of either table. These have the same meaning as for pattern-matching operations performed with the LIKE operator.
  • A '%' or blank Host value in either table means ``any host.''
  • The Db, Table_name and Column_name columns cannot contain wildcards or be blank in either table.

The server sorts the tables_priv and columns_priv tables based on the Host, Db, and User columns. This is similar to db table sorting, but simpler because only the Host column can contain wildcards.

The request verification process is described here. (If you are familiar with the access-checking source code, you will notice that the description here differs slightly from the algorithm used in the code. The description is equivalent to what the code actually does; it differs only to make the explanation simpler.)

For requests that require administrative privileges such as SHUTDOWN or RELOAD, the server checks only the user table entry because that is the only table that specifies administrative privileges. Access is granted if the entry allows the requested operation and denied otherwise. For example, if you want to execute mysqladmin shutdown but your user table entry doesn't grant the SHUTDOWN privilege to you, the server denies access without even checking the db or host tables. (They contain no Shutdown_priv column, so there is no need to do so.)

For database-related requests (INSERT, UPDATE, etc.), the server first checks the user's global (superuser) privileges by looking in the user table entry. If the entry allows the requested operation, access is granted. If the global privileges in the user table are insufficient, the server determines the user's database-specific privileges by checking the db and host tables:

  1. The server looks in the db table for a match on the Host, Db, and User columns. The Host and User columns are matched to the connecting user's hostname and MySQL username. The Db column is matched to the database the user wants to access. If there is no entry for the Host and User, access is denied.
  2. If there is a matching db table entry and its Host column is not blank, that entry defines the user's database-specific privileges.
  3. If the matching db table entry's Host column is blank, it signifies that the host table enumerates which hosts should be allowed access to the database. In this case, a further lookup is done in the host table to find a match on the Host and Db columns. If no host table entry matches, access is denied. If there is a match, the user's database-specific privileges are computed as the intersection (not the union!) of the privileges in the db and host table entries; that is, the privileges that are 'Y' in both entries. (This way you can grant general privileges in the db table entry and then selectively restrict them on a host-by-host basis using the host table entries.)

After determining the database-specific privileges granted by the db and host table entries, the server adds them to the global privileges granted by the user table. If the result allows the requested operation, access is granted. Otherwise, the server successively checks the user's table and column privileges in the tables_priv and columns_priv tables, adds those to the user's privileges, and allows or denies access based on the result.

Expressed in boolean terms, the preceding description of how a user's privileges are calculated may be summarized like this:

global privileges
OR (database privileges AND host privileges)
OR table privileges
OR column privileges

It may not be apparent why, if the global user entry privileges are initially found to be insufficient for the requested operation, the server adds those privileges to the database, table, and column privileges later. The reason is that a request might require more than one type of privilege. For example, if you execute an INSERT INTO ... SELECT statement, you need both the INSERT and the SELECT privileges. Your privileges might be such that the user table entry grants one privilege and the db table entry grants the other. In this case, you have the necessary privileges to perform the request, but the server cannot tell that from either table by itself; the privileges granted by the entries in both tables must be combined.

The host table is not affected by the GRANT or REVOKE statements, so it is unused in most MySQL installations. If you modify it directly, you can use it for some specialized purposes, such as to to maintain a list of secure servers. For example, at TcX, the host table contains a list of all machines on the local network. These are granted all privileges.

You can also use the host table to indicate hosts that are not secure. Suppose that you have a machine public.your.domain that is located in a public area that you do not consider secure. You can allow access to all hosts on your network except that machine by using host table entries like this:

+--------------------+----+-
| Host               | Db | ...
+--------------------+----+-
| public.your.domain | %  | ... (all privileges set to 'N')
| %.your.domain      | %  | ... (all privileges set to 'Y')
+--------------------+----+-

Naturally, you should always test your entries in the grant tables (for example, by using mysqlaccess) to make sure your access privileges are actually set up the way you think they are.

5.4.7 When Privilege Changes Take Effect

When mysqld starts, all grant table contents are read into memory and become effective at that point for access control.

When the server reloads the grant tables, privileges for existing client connections are affected as follows:

  • Table and column privilege changes take effect with the client's next request.
  • Database privilege changes take effect at the next USE db_name statement.
  • Changes to global privileges and passwords take effect the next time the client connects.

If you modify the grant tables using GRANT, REVOKE, or SET PASSWORD, the server notices these changes and reloads the grant tables into memory again immediately.

If you modify the grant tables directly using statements such as INSERT, UPDATE, or DELETE, your changes have no effect on privilege checking until you either restart the server or tell it to reload the tables. To reload the grant tables manually, issue a FLUSH PRIVILEGES statement or execute a mysqladmin flush-privileges or mysqladmin reload command.

If you change the grant tables directly but forget to reload them, your changes will have no effect until you restart the server. This may leave you wondering why your changes don't seem to make any difference!

5.4.8 Causes of Access denied Errors

If you encounter problems when you try to connect to the MySQL server, the following items describe some courses of action you can take to correct the problem.

  • Make sure that the server is running. If it is not, you cannot connect to it. For example, if you attempt to connect to the server and see a message such as one of those following, one cause might be that the server is not running:
    shell> mysql
    ERROR 2003: Can't connect to MySQL server on 'host_name' (111)
    shell> mysql
    ERROR 2002: Can't connect to local MySQL server through socket
    '/tmp/mysql.sock' (111)
    
    It might also be that the server is running, but you are trying to connect using a TCP/IP port, named pipe, or Unix socket file different than those on which the server is listening. To correct this when you invoke a client program, specify a --port option to indicate the proper port, or a --socket option to indicate the proper named pipe or Unix socket file.
  • The grant tables must be properly set up so that the server can use them for access control. For installations on Windows using a binary distribution or on Linux using a server RPM distribution, the installation process initializes the mysql database containing the grant tables. For other MySQL installation types, you should initialize the grant tables manually by running the mysql_install_db script. See section 5.5.2 Securing the Initial MySQL Accounts. One way to determine whether you need to initialize the grant tables is to look for a `mysql' directory under the data directory. (The data directory normally is named `data' or `var' and is located under your MySQL installation directory.) Make sure you have a file named `user.MYD' in the `mysql' database directory. If you do not, execute the mysql_install_db script. After running this script and starting the server, test the initial privileges by executing this command:
    shell> mysql -u root test
    
    The server should let you connect without error.
  • After a fresh installation, you should connect to the server and set up your users and their access permissions:
    shell> mysql -u root mysql
    
    The server should let you connect because the MySQL root user has no password initially. That is also a security risk, so setting the password for the root accounts is something you should do while you're setting up your other MySQL users. For instructions on setting the initial passwords, see section 5.5.2 Securing the Initial MySQL Accounts.
  • If you have updated an existing MySQL installation to a newer version, did you run the mysql_fix_privilege_tables script? If not, do so. The structure of the grant tables changes occasionally when new capabilities are added, so you should always make sure after an upgrade that your tables have the current structure. For instructions, see section 2.5.8 Upgrading the Grant Tables.
  • If a client program receives the following error message when it tries to connect, it means that the server expects passwords in a newer format than the client is capable of generating:
    shell> mysql
    Client does not support authentication protocol requested
    by server; consider upgrading MySQL client
    
    For instructions on how to deal with this, see section 5.4.9 Password Hashing in MySQL 4.1.
  • If you try to connect as root and get the following error, it means that you don't have an entry in the user table with a User column value of 'root' and that mysqld cannot resolve the hostname for your client:
    Access denied for user: '@unknown' to database mysql
    
    In this case, you must restart the server with the --skip-grant-tables option and edit your `/etc/hosts' or `\windows\hosts' file to add an entry for your host.
  • Remember that client programs will use connection parameters specified in option files or environment variables. If a client program seems to be sending incorrect default connection parameters when you don't specify them on the command line, check your environment and any applicable option files. For example, if you get Access denied when you run a client without any options, make sure you haven't specified an old password in any of your option files! You can suppress the use of option files with the --no-defaults option as follows:
    shell> mysqladmin --no-defaults -u root ver
    
    The option files that clients use are listed in section 4.3.2 Using Option Files. Environment variables are listed in section E Environment Variables.
  • If you get the following error, it means that you are using an incorrect root password:
    shell> mysqladmin -u root -pxxxx ver
    Access denied for user: 'root@localhost' (Using password: YES)
    
    If the preceding error occurs even when you haven't specified a password, it means that you have an incorrect password listed in some option file. Try the --no-defaults option as described in the previous item. For information on changing passwords, see section 5.5.6 Assigning Account Passwords. If you have lost the root password, you can restart mysqld with --skip-grant-tables to change the password. See section A.4.2 How to Reset the Root Password.
  • If you change a password by using SET PASSWORD, INSERT, or UPDATE, you must encrypt the password using the PASSWORD() function. If you do not use PASSWORD() for these statements, the password will not work. For example, the following statement sets a password, but fails to encrypt it, so the user will not be able to connect afterward:
    mysql> SET PASSWORD FOR 'abe'@'host_name' = 'eagle';
    
    Instead, set the password like this:
    mysql> SET PASSWORD FOR 'abe'@'host_name' = PASSWORD('eagle');
    
    The PASSWORD() function is unnecessary when you specify a password using the GRANT statement or the mysqladmin password command, both of which automatically use PASSWORD() to encrypt the password. See section 5.5.6 Assigning Account Passwords.
  • localhost is a synonym for your local hostname, and is also the default host to which clients try to connect if you specify no host explicitly. However, connections to localhost on Unix systems do not work if you are using a MySQL version older than 3.23.27 that uses MIT-pthreads: localhost connections are made using Unix socket files, which were not supported by MIT-pthreads at that time. To avoid this problem on such systems, you can use a --host=127.0.0.1 option to name the server host explicitly. This will make a TCP/IP connection to the local mysqld server. You can also use TCP/IP by specifying a --host option that uses the actual hostname of the local host. In this case, the hostname must be specified in a user table entry on the server host, even though you are running the client program on the same host as the server.
  • If you get an Access denied error when trying to connect to the database with mysql -u user_name, you may have a problem with the user table. Check this by executing mysql -u root mysql and issuing this SQL statement:
    mysql> SELECT * FROM user;
    
    The result should include an entry with the Host and User columns matching your computer's hostname and your MySQL username.
  • The Access denied error message will tell you who you are trying to log in as, the client host from which you are trying to connect, and whether or not you were using a password. Normally, you should have one entry in the user table that exactly matches the hostname and username that were given in the error message. For example, if you get an error message that contains Using password: NO, it means that you tried to log in without an password.
  • If the following error occurs when you try to connect from a host other than the one on which the MySQL server is running, it means that there is no row in the user table with a Host value that matches the client host:
    Host ... is not allowed to connect to this MySQL server
    
    You can fix this by invoking the command-line tool mysql on the server host and setting up an account for the combination of client hostname and username that you are using when trying to connect. If you don't know the IP number or hostname of the machine from which you are connecting, you should put an entry with '%' as the Host column value in the user table and restart mysqld with the --log option on the server machine. After trying to connect from the client machine, the information in the MySQL log will indicate how you really did connect. (Then replace the '%' in the user table entry with the actual hostname that shows up in the log. Otherwise, you'll have a system that is insecure because it allows connections from any host for the given username.) On Linux, another reason that this error might occur is that you are using a binary MySQL version that is compiled with a different version of the glibc library than the one you are using. In this case, you should either upgrade your operating system or glibc, or download a source distribution of MySQL version and compile it yourself. A source RPM is normally trivial to compile and install, so this isn't a big problem.
  • If you specify a hostname when trying to connect, but get an error message where the hostname is not shown or is an IP number, it means that the MySQL server got an error when trying to resolve the IP number of the client host to a name:
    shell> mysqladmin -u root -pxxxx -h some-hostname ver
    Access denied for user: 'root@' (Using password: YES)
    
    This indicates a DNS problem. To fix it, execute mysqladmin flush-hosts to reset the internal DNS hostname cache. See section 7.5.5 How MySQL uses DNS. Some permanent solutions are:
    • Try to find out what is wrong with your DNS server and fix it.
    • Specify IP numbers rather than hostnames in the MySQL grant tables.
    • Put an entry for the client machine name in /etc/hosts.
    • Start mysqld with the --skip-name-resolve option.
    • Start mysqld with the --skip-host-cache option.
    • On Unix, if you are running the server and the client on the same machine, connect to localhost. Unix connections to localhost use a Unix socket file rather than TCP/IP.
    • On Windows, if you are running the server and the client on the same machine and the server supports named pipe connections, connect to the hostname . (period). Connections to . use a named pipe rather than TCP/IP.
  • If mysql -u root test works but mysql -h your_hostname -u root test results in Access denied (where your_hostname is the actual hostname of the local host), you may not have the correct name for your host in the user table. A common problem here is that the Host value in the user table entry specifies an unqualified hostname, but your system's name resolution routines return a fully qualified domain name (or vice-versa). For example, if you have an entry with host 'tcx' in the user table, but your DNS tells MySQL that your hostname is 'tcx.subnet.se', the entry will not work. Try adding an entry to the user table that contains the IP number of your host as the Host column value. (Alternatively, you could add an entry to the user table with a Host value that contains a wildcard; for example, 'tcx.%'. However, use of hostnames ending with `%' is insecure and is not recommended!)
  • If mysql -u user_name test works but mysql -u user_name other_db_name doesn't work, you have not granted database access for other_db_name to the given user.
  • If mysql -u user_name works when executed on the server host, but mysql -h host_name -u user_name doesn't work when executed on a remote client host, you have not enabled access to the server for the given username from the remote host.
  • If you can't figure out why you get Access denied, remove from the user table all entries that have Host values containing wildcards (entries that contain `%' or `_'). A very common error is to insert a new entry with Host='%' and User='some user', thinking that this will allow you to specify localhost to connect from the same machine. The reason that this doesn't work is that the default privileges include an entry with Host='localhost' and User=''. Because that entry has a Host value 'localhost' that is more specific than '%', it is used in preference to the new entry when connecting from localhost! The correct procedure is to insert a second entry with Host='localhost' and User='some_user', or to delete the entry with Host='localhost' and User=''. After deleting the entry, remember to issue a FLUSH PRIVILEGES statement to reload the grant tables.
  • If you get the following error, you may have a problem with the db or host table:
    Access to database denied
    
    If the entry selected from the db table has an empty value in the Host column, make sure there are one or more corresponding entries in the host table specifying which hosts the db table entry applies to.
  • If you are able to connect to the MySQL server, but get an Access denied message whenever you issue a SELECT ... INTO OUTFILE or LOAD DATA INFILE statement, your entry in the user table doesn't have the FILE privilege enabled.
  • If you change the grant tables directly (for example, by using INSERT, UPDATE, or DELETE statements) and your changes seem to be ignored, remember that you must issue a FLUSH PRIVILEGES statement or execute a mysqladmin flush-privileges command to cause the server to re-read the privilege tables. Otherwise, your changes have no effect until the next time the server is restarted. Remember that after you set the root password with an UPDATE command, you won't need to specify the new password until after you flush the privileges, because the server won't know you've changed the password yet!
  • If your privileges seem to have changed in the middle of a session, it may be that a MySQL administrator has changed them. Reloading the grant tables affects new client connections, but it also affects existing connections as indicated in section 5.4.7 When Privilege Changes Take Effect.
  • If you have access problems with a Perl, PHP, Python, or ODBC program, try to connect to the server with mysql -u user_name db_name or mysql -u user_name -pyour_pass db_name. If you are able to connect using the mysql client, the problem lies with your program, not with the access privileges. (Note that there is no space between -p and the password; you can also use the --password=your_pass syntax to specify the password. If you use the -p option alone, MySQL will prompt you for the password.)
  • For testing, start the mysqld server with the --skip-grant-tables option. Then you can change the MySQL grant tables and use the mysqlaccess script to check whether your modifications have the desired effect. When you are satisfied with your changes, execute mysqladmin flush-privileges to tell the mysqld server to start using the new grant tables. (Reloading the grant tables overrides the --skip-grant-tables option. This allows you to tell the server to begin using the grant tables again without stopping and restarting it.)
  • If everything else fails, start the mysqld server with a debugging option (for example, --debug=d,general,query). This will print host and user information about attempted connections, as well as information about each command issued. See section D.1.2 Creating Trace Files.
  • If you have any other problems with the MySQL grant tables and feel you must post the problem to the mailing list, always provide a dump of the MySQL grant tables. You can dump the tables with the mysqldump mysql command. As always, post your problem using the mysqlbug script. See section 1.7.1.3 How to Report Bugs or Problems. In some cases, you may need to restart mysqld with --skip-grant-tables to run mysqldump.

5.4.9 Password Hashing in MySQL 4.1

MySQL user accounts are listed in the user table of the mysql database. Each MySQL account is assigned a password, although what is stored in the Password column of the user table is not the plaintext version of the password, but a hash value computed from it. Password hash values are computed by the PASSWORD() function.

MySQL uses passwords in two phases of client/server communication:

  • When a client attempts to connect to the server, there is an initial authentication step in which the client must present a password that has a hash value matching the hash value stored in the user table for the account that the client wants to use.
  • After the client connects, it can (if it has sufficient privileges) set or change the password hashes for accounts listed in the user table. The client can do this by using the PASSWORD() function to generate a password hash, or by using the GRANT or SET PASSWORD statements.

In other words, the server uses hash values during authentication when a client first attempts to connect. The server generates hash values if a connected client invokes the PASSWORD() function or uses a GRANT or SET PASSWORD statement to set or change a password.

The password hashing mechanism was updated in MySQL 4.1 to provide better security and to reduce the risk of passwords being intercepted. However, this new mechanism is understood only by the 4.1 server and 4.1 clients, which can result in some compatibility problems. A 4.1 client can connect to a pre-4.1 server, because the client understands both the old and new password hashing mechanisms. However, a pre-4.1 client that attempts to connect to a 4.1 server may run into difficulties. For example, a 4.0 mysql client that attempts to connect to a 4.1 server may fail with the following error message:

shell> mysql -h localhost -u root
Client does not support authentication protocol requested
by server; consider upgrading MySQL client

The following discussion describes the differences between the old and new password mechanisms, and what you should do if you upgrade your server to 4.1 but need to maintain backward compatibility with pre-4.1 clients.

Note: This discussion contrasts 4.1 behavior with pre-4.1 behavior, but the 4.1 behavior described here actually begins with 4.1.1. MySQL 4.1.0 is an ``odd'' release because it has a slightly different mechanism than that implemented in 4.1.1 and up. Differences between 4.1.0 and more recent versions are described further in section 5.4.9.2 Password Hashing in MySQL 4.1.0.

Prior to MySQL 4.1, password hashes computed by the PASSWORD() function are 16 bytes long. Such hashes look like this:

mysql> SELECT PASSWORD('mypass');
+--------------------+
| PASSWORD('mypass') |
+--------------------+
| 6f8c114b58f2ce9e   |
+--------------------+

The Password column of the user table (in which these hashes are stored) also is 16 bytes long before MySQL 4.1.

As of MySQL 4.1, the PASSWORD() function has been modified to produce a longer 41-byte hash value:

mysql> SELECT PASSWORD('mypass');
+-----------------------------------------------+
| PASSWORD('mypass')                            |
+-----------------------------------------------+
| *43c8aa34cdc98eddd3de1fe9a9c2c2a9f92bb2098d75 |
+-----------------------------------------------+

Accordingly, the Password column in the user table also must be 41 bytes long to store these values:

  • If you perform a new installation of MySQL 4.1, the Password column will be made 41 bytes long automatically.
  • If you upgrade an older installation to 4.1, you should run the mysql_fix_privilege_tables script to increase the length of the Password column from 16 to 41 bytes. (The script does not change existing password values, which remain 16 bytes long.)

A widened Password column can store password hashes in both the old and new formats. The format of any given password hash value can be determined two ways:

  • The obvious difference is the length (16 bytes versus 41 bytes).
  • A second difference is that password hashes in the new format always begin with a `*' character, whereas passwords in the old format never do.

The longer password hash format has better cryptographic properties, and client authentication based on long hashes is more secure than that based on the older short hashes.

The differences between short and long password hashes are relevant both for how the server uses passwords during authentication and for how it generates password hashes for connected clients that perform password-changing operations.

The way in which the server uses password hashes during authentication is affected by the width of the Password column:

  • If the column is short, only short-hash authentication is used.
  • If the column is long, it can hold either short or long hashes, and the server can use either format:
    • Pre-4.1 clients can connect, though because they know only about the old hashing mechanism, they can authenticate only for accounts that have short hashes.
    • 4.1 clients can authenticate for accounts that have short or long hashes.

For short-hash accounts, the authentication process is actually a bit more secure for 4.1 clients than for older clients. In terms of security, the gradient from least to most secure is:

  • Pre-4.1 client authenticating for account with short password hash
  • 4.1 client authenticating for account with short password hash
  • 4.1 client authenticating for account with long password hash

The way in which the server generates password hashes for connected clients is affected by the width of the Password column and by the --old-passwords option. A 4.1 server generates long hashes only if certain conditions are met: The Password column must be wide enough to hold long values and the --old-passwords option must not be given. These conditions apply as follows:

  • The Password column must be wide enough to hold long hashes (41 bytes). If the column has not been updated and still has the pre-4.1 width of 16 bytes, the server notices that long hashes cannot fit into it and generates only short hashes when a client performs password-changing operations using PASSWORD(), GRANT, or SET PASSWORD. This is the behavior that occurs if you have upgraded to 4.1 but have not yet run the mysql_fix_privilege_tables script to widen the Password column.
  • If the Password column is wide, it can store either short or long password hashes. In this case, PASSWORD(), GRANT, and SET PASSWORD generate long hashes unless the server was started with the --old-passwords option. That option forces the server to generate short passsword hashes instead.

The purpose of the --old-passwords option is to allow you to maintain backward compatibility with pre-4.1 clients under circumstances where the server would otherwise generate long password hashes. The option doesn't affect authentication (4.1 clients can still use accounts that have long password hashes), but it does prevent creation of a long password hash in the user table as the result of a password-changing operation. Were that to occur, the account no longer could be used by pre-4.1 clients. Without the --old-passwords option, the following undesirable scenario is possible:

  • An old client connects to an account that has a short password hash.
  • The client changes its own password. Without --old-passwords, this results in the account having a long password hash.
  • The next time the old client attempts to connect to the account, it cannot, because the account now has a long password hash that requires the new hashing mechanism during authentication. (Once an account has a long password hash in the user table, only 4.1 clients can authenticate for it, because pre-4.1 clients do not understand long hashes.)

This scenario illustrates that, if you must support older pre-4.1 clients, it is dangerous to run a 4.1 server without using the --old-passwords option. By running the server with --old-passwords, password-changing operations will not generate long password hashes and thus do not cause accounts to become inaccessible to older clients. (Those clients cannot inadvertently lock themselves out by changing their password and ending up with a long password hash.)

The downside of the --old-passwords option is that any passwords you create or change will use short hashes, even for 4.1 clients. Thus, you lose the additional security provided by long password hashes. If you want to create an account that has a long hash (for example, for use by 4.1 clients), you must do so while running the server without --old-passwords.

The following scenarios are possible for running a 4.1 server:

Scenario 1: Short Password column in user table:

  • Only short hashes can be stored in the Password column.
  • The server uses only short hashes during client authentication.
  • For connected clients, password hash-generating operations involving PASSWORD(), GRANT, or SET PASSWORD use short hashes exclusively. Any change to an account's password results in that account having a short password hash.
  • The --old-passwords option can be used but is superfluous because with a short Password column, the server will only generate short password hashes anyway.

Scenario 2: Long Password column; server not started with --old-passwords option:

  • Short or long hashes can be stored in the Password column.
  • 4.1 clients can authenticate for accounts that have short or long hashes.
  • Pre-4.1 clients can authenticate only for accounts that have short hashes.
  • For connected clients, password hash-generating operations involving PASSWORD(), GRANT, or SET PASSWORD use long hashes exclusively. A change to an account's password results in that account having a long password hash.

As indicated earlier, a danger in this scenario is that it is possible for accounts that have a short password hash to become inaccessible to pre-4.1 clients. A change to such an account's password made via GRANT, PASSWORD(), or SET PASSWORD results in the account being given a long password hash. From that point on, no pre-4.1 client can authenticate to that account until the client upgrades to 4.1.

To deal with this problem, you can change a password in a special way. For example, normally you use SET PASSWORD as follows to change an account password:

mysql> SET PASSWORD FOR
    -> 'some_user'@'some_host' = PASSWORD('mypass');

To change the password but create a short hash, use the OLD_PASSWORD() function instead:

mysql> SET PASSWORD FOR
    -> 'some_user'@'some_host' = OLD_PASSWORD('mypass');

OLD_PASSWORD() is useful for situations in which you explicitly want to generate a short hash.

Scenario 3: Long Password column; server started with --old-passwords option:

  • Short or long hashes can be stored in the Password column.
  • 4.1 clients can authenticate for accounts that have short or long hashes (but note that it is possible to create long hashes only when the server is started without --old-passwords).
  • Pre-4.1 clients can authenticate only for accounts that have short hashes.
  • For connected clients, password hash-generating operations involving PASSWORD(), GRANT, or SET PASSWORD use short hashes exclusively. Any change to an account's password results in that account having a short password hash.

In this scenario, you cannot create accounts that have long password hashes, because the --old-passwords option prevents generation of long hashes. Also, if you create an account with a long hash before using the --old-passwords option, changing the account's password while --old-passwords is in effect results in the account being given a short password, causing it to lose the security benefits of a longer hash.

The disadvantages for these scenarios may be summarized as follows:

In scenario 1, you cannot take advantage of longer hashes that provide more secure authentication.

In scenario 2, accounts with short hashes become inaccessible to pre-4.1 clients if you change their passwords without explicitly using OLD_PASSWORD().

In scenario 3, --old-passwords prevents accounts with short hashes from becoming inaccessible, but password-changing operations cause accounts with long hashes to revert to short hashes, and you cannot change them back to long hashes while --old-passwords is in effect.

5.4.9.1 Implications of Password Hashing Changes for Application Programs

An upgrade to MySQL 4.1 can cause a compatibility issue for applications that use PASSWORD() to generate passwords for their own purposes. (Applications really should not do this, because PASSWORD() should be used only to manage passwords for MySQL accounts. But some applications use PASSWORD() for their own purposes anyway.) If you upgrade to 4.1 and run the server under conditions where it generates long password hashes, an application that uses PASSWORD() for its own passwords will break. The recommended course of action is to modify the application to use another function such as SHA1() or MD5() to produce hashed values. If that is not possible, you can use the OLD_PASSWORD() function, which is provided to generate short hashes in the old format. (But note that OLD_PASSWORD() may one day no longer be supported.)

If the server is running under circumstances where it generates short hashes, OLD_PASSWORD() is available but is equivalent to PASSWORD().

5.4.9.2 Password Hashing in MySQL 4.1.0

Password hashing in MySQL 4.1.0 differs from hashing in 4.1.1 and up. The 4.1.0 differences are:

  • Password hashes are 45 bytes long rather than 41 bytes.
  • The PASSWORD() function is non-repeatable. That is, with a given argument X, successive calls to PASSWORD(X) generate different results.

These differences make authentication in 4.1.0 incompatible with that of releases that follow it. If you have upgraded to MySQL 4.1.0, it is recommended that you upgrade to a newer version as soon as possible. After you do, reassign any long passwords in the user table so that they are compatible with the 41-byte format.

5.5 MySQL User Account Management

This section describes how to set up accounts for clients of your MySQL server. It discusses the following topics:

  • The meaning of account names and passwords as used in MySQL and how that compares to names and passwords used by your operating system
  • How to secure the initial MySQL accounts that are created when you install MySQL
  • How to set up new accounts and remove existing accounts
  • How to change passwords
  • Guidelines for using passwords securely
  • How to use secure connections with SSL

5.5.1 MySQL Usernames and Passwords

A MySQL account is defined in terms of a username and the client host or hosts from which the user can connect to the server. The account also has a password. There are several distinctions between the way usernames and passwords are used by MySQL and the way they are used by your operating system:

  • Usernames, as used by MySQL for authentication purposes, have nothing to do with usernames (login names) as used by Windows or Unix. On Unix, most MySQL clients by default try to log in using the current Unix username as the MySQL username, but that is for convenience only. The default can be overridden easily, because client programs allow any username to be specified with a -u or --user option. Because this means that anyone can attempt to connect to the server using any username, you can't make a database secure in any way unless all MySQL accounts have passwords. Anyone who specifies a username for an account that has no password will be able to connect successfully to the server.
  • MySQL usernames can be up to 16 characters long. Operating system usernames might have a different maximum length. For example, Unix usernames typically are limited to eight characters.
  • MySQL passwords have nothing to do with passwords for logging in to your operating system. There is no necessary connection between the password you use to log in to a Windows or Unix machine and the password you use to access the MySQL server on that machine.
  • MySQL encrypts passwords using its own algorithm. This encryption is different from that used during the Unix login process. MySQL password encryption is the same as that implemented by the PASSWORD() SQL function. Unix password encryption is the same as that implemented by the ENCRYPT() SQL function. See the descriptions of the PASSWORD() and ENCRYPT() functions in section 13.8.2 Encryption Functions. From version 4.1 on, MySQL employs a stronger authentication method that has better password protection during the connection process than in earlier versions. It is secure even if TCP/IP packets are sniffed or the mysql database is captured. (In earlier versions, even though passwords are stored in encrypted form in the user table, knowledge of the encrypted password value could be used to connect to the MySQL server!)

When you install MySQL, the grant tables are populated with an initial set of accounts. (Their names and access privileges are discussed in section 5.5.2 Securing the Initial MySQL Accounts.) Thereafter, you normally set up, modify, and remove MySQL accounts using the GRANT and REVOKE statements. See section 14.5.1.2 GRANT and REVOKE Syntax.

When you connect to a MySQL server with a command-line client, you should specify the username and password for the account that you want to use:

shell> mysql --user=monty --password=guess db_name

If you prefer short options, the command looks like this:

shell> mysql -u monty -pguess db_name

Note that there must be no space between the -p option and the following password value. See section 5.4.4 Connecting to the MySQL Server.

If you want the client program to ask for a password, you should use a --password or -p option without any following password value:

shell> mysql --user=monty --password db_name
shell> mysql -u monty -p db_name

In these examples, db_name is not the password. Instead, the program will print a prompt and wait for you to enter the password.

On some systems, the library call that MySQL uses to prompt for a password automatically limits the password to eight characters. Internally, MySQL doesn't have any limit for the length of the password.

5.5.2 Securing the Initial MySQL Accounts

Part of the MySQL installation process is to set up the mysql database containing the grant tables:

  • Windows distributions contain preinitialized grant tables that are installed automatically.
  • On Unix, the grant tables are populated by the mysql_install_db program. Some installation methods run this program for you. Others require that you execute it manually. For details, see section 2.4.2 Unix Post-installation Procedures.

The grant tables define the initial accounts and their access privileges. These accounts are set up as follows:

  • Two accounts are created with a username of root and no password. These are superuser accounts that can do anything. Connections for root must be made from the local host, either by specifying a hostname of localhost or the actual hostname or IP number. Note: The initial root account passwords are empty, so anyone can connect to the MySQL server as root without a password and be granted all privileges.
  • Two anonymous-user accounts are created with an empty username and no password. These accounts can do anything with databases that have a name of 'test' or that start with 'test_'. Connections must be made from the local host, either by specifying a hostname of localhost or the actual hostname or IP number. Because these accounts have no passwords, any local user can connect without a password and be treated as the anonymous user.
  • Other privileges are denied. For example, normal users can't perform administrative operations by executing commands such as mysqladmin shutdown or mysqladmin processlist.

Note: The default privileges are different for Windows. See section 2.4.1 Windows Post-installation Procedures.

As noted, none of the initial accounts have passwords. Because your installation is initially wide open, one of the first things you should do is to secure these accounts:

  • You should assign passwords to the MySQL root accounts.
  • If you want to prevent clients from connecting as anonymous users without a password, you should also assign passwords to the anonymous accounts or else remove them.

You can assign passwords to the root accounts several ways. The following discussion demonstrates three methods:

  • By using the SET PASSWORD statement
  • By using the mysqladmin command-line client program
  • By using the UPDATE statement

To assign passwords using SET PASSWORD, connect to the server as root and issue two SET PASSWORD statements, as follows:

shell> mysql -u root mysql
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR 'root'@'host_name' = PASSWORD('newpwd');

Replace ``newpwd'' with the actual root password that you want to use. Be sure to encrypt the password using the PASSWORD() function. In the second command, replace host_name with the name of the server host. This is the name that is specified in the Host column of the non-localhost record for root in the user table. If you don't know what hostname this is, issue the following statement before the SET PASSWORD statements:

mysql> SELECT Host, User FROM User;

Look for the record that has root in the User column and something other than localhost in the Host column.

To assign passwords to the root accounts using mysqladmin, execute the following commands:

shell> mysqladmin -u root password "newpwd"
shell> mysqladmin -u root -h host_name password "newpwd"

Replace ``newpwd'' with the actual root password that you want to use. The double quotes are not always necessary, but you should use them if the password contains spaces or other characters that are special to your command interpreter. In the second command, replace host_name with the name of the server host.

Another way to assign passwords is by using UPDATE to modify the user table directly. Connect to the server as root and issue an UPDATE statement that assigns a value to the Password column of the appropriate user table records. The following UPDATE statement assigns a password to both root accounts at once:

shell> mysql -u root mysql
mysql> UPDATE user SET Password = PASSWORD('newpwd')
    ->     WHERE User = 'root';
mysql> FLUSH PRIVILEGES;

Replace ``newpwd'' with the actual root password that you want to use. Be sure to encrypt the password using the PASSWORD() function.

Note that after you update the password in the user table directly using UPDATE, you should tell the server to re-read the grant tables with FLUSH PRIVILEGES. Otherwise, the change will go unnoticed otherwise until you restart the server.

After the root password has been set, you must supply that password whenever you connect to the server as root.

You might want to defer setting a password for the root accounts until later, so that you don't need to specify it while you perform additional setup or testing. However, be sure to set it before using your installation for any real production work.

If you want to assign passwords to the anonymous accounts, you can use either SET PASSWORD or UPDATE. In both cases, be sure to encrypt the password using the PASSWORD() function.

To use SET PASSWORD, do this:

shell> mysql -u root mysql
mysql> SET PASSWORD FOR ''@'localhost' = PASSWORD('newpwd');
mysql> SET PASSWORD FOR ''@'host_name' = PASSWORD('newpwd');

The value of host_name is the same as when you assigned the root account passwords.

To use UPDATE, do this:

shell> mysql -u root mysql
mysql> UPDATE user SET Password = PASSWORD('newpwd')
    ->     WHERE User = '';
mysql> FLUSH PRIVILEGES;

If you prefer to remove the anonymous accounts instead, do so as follows:

shell> mysql -u root mysql
mysql> DELETE FROM user WHERE User = '';
mysql> FLUSH PRIVILEGES;

5.5.3 Adding New User Accounts to MySQL

You can create MySQL accounts two ways:

  • By using GRANT statements
  • By manipulating the MySQL grant tables directly

The preferred method is to use GRANT statements, because they are more concise and less error-prone. GRANT is available as of MySQL 3.22.11; its syntax is described in section 14.5.1.2 GRANT and REVOKE Syntax.

Another option for creating accounts is to use one of several available third-party programs that offer capabilities for MySQL account administration. phpMyAdmin is one such program.

The following examples show how to use the mysql client program to set up new users. These examples assume that privileges are set up according to the defaults described in section 5.5.2 Securing the Initial MySQL Accounts. This means that to make changes, you must be on the same machine where mysqld is running, you must connect to it as the MySQL root user, and the root account must have the INSERT privilege for the mysql database and the RELOAD administrative privilege.

First, use the mysql program to connect to the server as the MySQL root user:

shell> mysql --user=root mysql

If you have assigned a password to the root account, you should specify that password for this mysql command and also for those later in this section.

After connecting to the server, you can add new accounts. The following statements use GRANT to set up four new accounts:

mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'localhost'
    ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%'
    ->     IDENTIFIED BY 'some_pass' WITH GRANT OPTION;
mysql> GRANT RELOAD,PROCESS ON *.* TO 'admin'@'localhost';
mysql> GRANT USAGE ON *.* TO 'dummy'@'localhost';

The accounts created by these GRANT statements have the following properties:

  • Two of the accounts have a username of monty and a password of some_pass. Both accounts are superuser accounts with full privileges to do anything. One account ('monty'@'localhost') can be used only when connecting from the local host. The other ('monty'@'%') can be used to connect from any other host. Note that it is necessary to have both accounts for monty to be able to connect from anywhere as monty. Without the localhost account, the anonymous-user account for localhost that is created by mysql_install_db would take precedence when monty connects from the local host. As a result, monty would be treated as an anonymous user. The reason for this is that the anonymous-user account has a more specific Host column value than the 'monty'@'%' account and thus comes earlier in the user table sort order. (user table sorting is discussed in section 5.4.5 Access Control, Stage 1: Connection Verification.)
  • One account has a username of admin and no password. This account can be used only by connecting from the local host. It is granted the RELOAD and PROCESS administrative privileges. These privileges allow the admin user to execute the mysqladmin reload, mysqladmin refresh, and mysqladmin flush-* commands, as well as mysqladmin processlist . No privileges are granted for accessing any databases. You could add such privileges later by issuing additional GRANT statements.
  • One account has a username of dummy and no password. This account can be used only by connecting from the local host. No privileges are granted. The USAGE privilege in the GRANT statement allows you to create an account without giving it any privileges. It has the effect of setting all the global privileges to 'N'. It is assumed that you will grant specific privileges to the account later.

As an alternative to GRANT, you can create the same accounts directly by issuing INSERT statements and then telling the server to reload the grant tables:

shell> mysql --user=root mysql
mysql> INSERT INTO user
    ->     VALUES('localhost','monty',PASSWORD('some_pass'),
    ->     'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
mysql> INSERT INTO user
    ->     VALUES('%','monty',PASSWORD('some_pass'),
    ->     'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
mysql> INSERT INTO user SET Host='localhost',User='admin',
    ->     Reload_priv='Y', Process_priv='Y';
mysql> INSERT INTO user (Host,User,Password)
    ->     VALUES('localhost','dummy','');
mysql> FLUSH PRIVILEGES;

The reason for using FLUSH PRIVILEGES when you create accounts with INSERT is to tell the server to re-read the grant tables. Otherwise, the changes will go unnoticed until you restart the server. (With GRANT, FLUSH PRIVILEGES is unnecessary.)

The reason for using the PASSWORD() function with INSERT is to encrypt the password. The GRANT statement encrypts the password for you, so PASSWORD() is unnecessary.

The 'Y' values enable privileges for the accounts. Depending on your MySQL version, you may have to use a different number of 'Y' values in the first two INSERT statements. (Versions prior to 3.22.11 have fewer privilege columns, and versions from 4.0.2 on have more.) For the admin account, the more readable extended INSERT syntax using SET that is available starting with Version 3.22.11 is used.

In the INSERT statement for the dummy account, only the Host, User, and Password columns in the user table record are assigned values. None of the privilege columns are set explicitly, so MySQL assigns them all the default value of 'N'. This is equivalent to what GRANT USAGE does.

Note that to set up a superuser account, it is necessary only to create a user table entry with the privilege columns set to 'Y'. user table privileges are global, so no entries in any of the other grant tables are needed.

The next examples create three accounts and give them access to specific databases. Each of them has a username of custom and password of obscure.

To create the accounts with GRANT, use the following statements:

shell> mysql --user=root mysql
mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
    ->     ON bankaccount.*
    ->     TO 'custom'@'localhost'
    ->     IDENTIFIED BY 'obscure';
mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
    ->     ON expenses.*
    ->     TO 'custom'@'whitehouse.gov'
    ->     IDENTIFIED BY 'obscure';
mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
    ->     ON customer.*
    ->     TO 'custom'@'server.domain'
    ->     IDENTIFIED BY 'obscure';

The three accounts can be used as follows:

  • The first account can access the bankaccount database, but only from the local host.
  • The second account can access the expenses database, but only from the host whitehouse.gov.
  • The third account can access the customer database, but only from the host server.domain.

To set up the custom accounts without GRANT, use INSERT statements as follows to modify the grant tables directly:

shell> mysql --user=root mysql
mysql> INSERT INTO user (Host,User,Password)
    ->     VALUES('localhost','custom',PASSWORD('obscure'));
mysql> INSERT INTO user (Host,User,Password)
    ->     VALUES('whitehouse.gov','custom',PASSWORD('obscure'));
mysql> INSERT INTO user (Host,User,Password)
    ->     VALUES('server.domain','custom',PASSWORD('obscure'));
mysql> INSERT INTO db
    ->     (Host,Db,User,Select_priv,Insert_priv,
    ->     Update_priv,Delete_priv,Create_priv,Drop_priv)
    ->     VALUES('localhost','bankaccount','custom',
    ->     'Y','Y','Y','Y','Y','Y');
mysql> INSERT INTO db
    ->     (Host,Db,User,Select_priv,Insert_priv,
    ->     Update_priv,Delete_priv,Create_priv,Drop_priv)
    ->     VALUES('whitehouse.gov','expenses','custom',
    ->     'Y','Y','Y','Y','Y','Y');
mysql> INSERT INTO db
    ->     (Host,Db,User,Select_priv,Insert_priv,
    ->     Update_priv,Delete_priv,Create_priv,Drop_priv)
    ->     VALUES('server.domain','customer','custom',
    ->     'Y','Y','Y','Y','Y','Y');
mysql> FLUSH PRIVILEGES;

The first three INSERT statements add user table entries that allow the user custom to connect from the various hosts with the given password, but grant no global privileges (all privileges are set to the default value of 'N'). The next three INSERT statements add db table entries that grant privileges to custom for the bankaccount, expenses, and customer databases, but only when accessed from the proper hosts. As usual when you modify the grant tables directly, you tell the server to reload them with FLUSH PRIVILEGES so that the privilege changes take effect.

If you want to give a specific user access from all machines in a given domain (for example, mydomain.com), you can issue a GRANT statement that uses the `%' wildcard character in the host part of the account name:

mysql> GRANT ...
    ->     ON *.*
    ->     TO 'myname'@'%.mydomain.com'
    ->     IDENTIFIED BY 'mypass';

To do the same thing by modifying the grant tables directly, do this:

mysql> INSERT INTO user (Host,User,Password,...)
   ->      VALUES('%.mydomain.com','myname',PASSWORD('mypass'),...);
mysql> FLUSH PRIVILEGES;

5.5.4 Removing User Accounts from MySQL

To remove an account, use the DROP USER statement, which was added in MySQL 4.1.1. For older versions of MySQL, use DELETE instead. The account removal procedure is described in section 14.5.1.1 DROP USER Syntax.

5.5.5 Limiting Account Resources

Before MySQL 4.0.2, the only available method for limiting use of MySQL server resources has been to set the max_user_connections system variable to a non-zero value. But that method is strictly global. It does not allow for management of individual accounts. Also, it limits only the number of simultaneous connections made using a single account, not what a client can do once connected. Both types of control are interest to many MySQL administrators, particularly those for Internet Service Providers.

Starting from MySQL 4.0.2, you can limit the following server resources for individual accounts:

  • The number of queries that an account can issue per hour
  • The number of updates that an account can issue per hour
  • The number of times an account can connect to the server per hour

Any statement that a client can issue counts against the query limit. Only statements that modify databases or tables count against the update limit.

An account in this context is a single record in the user table. Each account is uniquely identified by its User and Host column values.

As a prerequisite for using this feature, the user table in the mysql database must contain the resource-related columns. Resource limits are stored in the max_questions, max_updates, and max_connections columns. If your user table doesn't have these columns, it needs to be upgraded, see section 2.5.8 Upgrading the Grant Tables.

To set resource limits with a GRANT statement, use a WITH clause that names each resource to be limited and a per-hour count indicating the limit value. For example, to create a new account that can access the customer database but only in a limited fashion, issue this statement:

mysql> GRANT ALL ON customer.* TO 'francis'@'localhost'
    ->     IDENTIFIED BY 'frank'
    ->     WITH MAX_QUERIES_PER_HOUR 20
    ->          MAX_UPDATES_PER_HOUR 10
    ->          MAX_CONNECTIONS_PER_HOUR 5;

The limit types need not all be named in the WITH clause, but those named can be present in any order. The value for each limit should be an integer representing a count per hour. If the GRANT statement has no WITH clause, the limits are each set to the default value of zero (that is, no limit).

To set or change limits for an existing account, use a GRANT USAGE statement at the global level (ON *.*). The following statement changes the query limit for francis to 100:

mysql> GRANT USAGE ON *.* TO 'francis'@'localhost'
    ->     WITH MAX_QUERIES_PER_HOUR 100;

This statement leaves the account's existing privileges unchanged and modifies only the limit values specified.

To remove an existing limit, set its value to zero. For example, to remove the limit on how many times per hour francis can connect, use this statement:

mysql> GRANT USAGE ON *.* TO 'francis'@'localhost'
    ->     WITH MAX_CONNECTIONS_PER_HOUR 0;

Resource-use counting takes place when any account has a non-zero limit placed on its use of any of the resources.

As the server runs, it counts the number of times each account uses resources. If an account reaches its limit on number of connections within the last hour, further connections for the account are rejected until that hour is up. Similarly, if the account reaches its limit on the number of queries or updates, further queries or updates are rejected until the hour is up. In all such cases, an appropriate error message is issued.

Resource counting is done per account, not per client. For example, if your account has a query limit of 50, you cannot increase your limit to 100 by making two simultaneous client connections to the server. Queries issued on both connections are counted together.

The current resource-use counts can be reset globally for all accounts, or individually for a given count:

  • To reset the current counts to zero for all accounts, issue a FLUSH USER_RESOURCES statement. The counts also can be reset by reloading the grant tables (for example, with a FLUSH PRIVILEGES statement or a mysqladmin reload command).
  • The counts for an individual account can be set to zero by re-granting it any of its limits. To do this, use GRANT USAGE as described earlier and specify a limit value equal to the value that the account already has.

5.5.6 Assigning Account Passwords

Passwords may be assigned from the command line by using the mysqladmin command:

shell> mysqladmin -u user_name -h host_name password "newpwd"

The account for which this command resets the password is the one with a user table record that matches user_name in the User column and the client host from which you connect in the Host column.

Another way to assign a password to an account is to issue a SET PASSWORD statement:

mysql> SET PASSWORD FOR 'jeffrey'@'%' = PASSWORD('biscuit');

Only users such as root with update access to the mysql database can change the password for other users. If you are not connected as an anonymous user, you can change your own password by omitting the FOR clause:

mysql> SET PASSWORD = PASSWORD('biscuit');

You can also use a GRANT USAGE statement at the global level (ON *.*) to assign a password to an account without affecting the account's current privileges:

mysql> GRANT USAGE ON *.* TO 'jeffrey'@'%' IDENTIFIED BY 'biscuit';

Although it is generally preferable to assign passwords using one of the preceding methods, you can also do so by modifying the user table directly:

  • To establish a password when creating a new account, provide a value for the Password column:
    shell> mysql -u root mysql
    mysql> INSERT INTO user (Host,User,Password)
        -> VALUES('%','jeffrey',PASSWORD('biscuit'));
    mysql> FLUSH PRIVILEGES;
    
  • To change the password for an existing account, use UPDATE to set the Password column value:
    shell> mysql -u root mysql
    mysql> UPDATE user SET Password = PASSWORD('bagel')
        -> WHERE Host = '%' AND User = 'francis';
    mysql> FLUSH PRIVILEGES;
    

When you assign an account a password using SET PASSWORD, INSERT, or UPDATE, you must use the PASSWORD() function to encrypt it. (The only exception is that you need not use PASSWORD() if the password is empty.) PASSWORD() is necessary because the user table stores passwords in encrypted form, not as plaintext. If you forget that fact, you are likely to set passwords like this:

shell> mysql -u root mysql
mysql> INSERT INTO user (Host,User,Password)
    -> VALUES('%','jeffrey','biscuit');
mysql> FLUSH PRIVILEGES;

The result is that the literal value 'biscuit' is stored as the password in the user table, not the encrypted value. When jeffrey attempts to connect to the server using this password, the value is encrypted and compared to the value stored in the user table. However, the stored value is the literal string 'biscuit', so the comparison fails and the server rejects the connection:

shell> mysql -u jeffrey -pbiscuit test
Access denied

If you set passwords using the GRANT ... IDENTIFIED BY statement or the mysqladmin password command, they both take care of encrypting the password for you. The PASSWORD() function is unnecessary.

Note: PASSWORD() encryption is different from Unix password encryption. See section 5.5.1 MySQL Usernames and Passwords.

5.5.7 Keeping Your Password Secure

On an administrative level, you should never grant access to the mysql.user table to any non-administrative accounts. Passwords in the user table are stored in encrypted form, but in versions of MySQL earlier than 4.1, knowing the encrypted password for an account makes it possible to connect to the server using that account.

When you run a client program to connect to the MySQL server, it is inadvisable to specify your password in a way that exposes it to discovery by other users. The methods you can use to specify your password when you run client programs are listed here, along with an assessment of the risks of each method:

  • Use a -pyour_pass or --password=your_pass option on the command line. For example:
    shell> mysql -u francis -pfrank db_name
    
    This is convenient but insecure, because your password becomes visible to system status programs such as ps that may be invoked by other users to display command lines. MySQL clients typically overwrite the command-line password argument with zeros during their initialization sequence, but there is still a brief interval during which the value is visible.
  • Use a -p or --password option with no password value specified. In this case, the client program solicits the password from the terminal:
    shell> mysql -u francis
    Enter password: ********
    
    The `*' characters represent your password. The password is not displayed as you enter it. It is more secure to enter your password this way than to specify it on the command line because it is not visible to other users. However, this method of entering a password is suitable only for programs that you run interactively. If you want to invoke a client from a script that runs non-interactively, there is no opportunity to enter the password from the terminal. On some systems, you may even find that the first line of your script is read and interpreted (incorrectly) as your password!
  • Store your password in an option file. For example, on Unix you can list your password in the [client] section of the `.my.cnf' file in your home directory:
    [client]
    password=your_pass
    
    If you store your password in `.my.cnf', the file should not be accessible to anyone but yourself. To ensure this, set the file access mode to 400 or 600. For example:
    shell> chmod 600 .my.cnf
    
    section 4.3.2 Using Option Files discusses option files in more detail.
  • Store your password in the MYSQL_PWD environment variable. This method of specifying your MySQL password must be considered extremely insecure and should not be used. Some versions of ps include an option to display the environment of running processes. If you set MYSQL_PWD, your password will be exposed to any other user who runs ps. Even on systems without such a version of ps, it is unwise to assume there are no other methods by which users can examine process environments. See section E Environment Variables.

All in all, the safest methods are to have the client program prompt for the password or to specify the password in a properly protected option file.

5.5.8 Using Secure Connections

Beginning with version 4.0.0, MySQL has support for secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. This section discusses how to use SSL connections. It also describes a way to set up SSH on Windows.

The standard configuration of MySQL is intended to be as fast as possible, so encrypted connections are not used by default. Doing so would make the client/server protocol much slower. Encrypting data is a CPU-intensive operation that requires the computer to do additional work and can delay other MySQL tasks. For applications that require the security provided by encrypted connections, the extra computation is warranted.

MySQL allows encryption to be enabled on a per-connection basis. You can choose a normal uncrypted connection or a secure encrypted SSL connection according the requirements of individual applications.

5.5.8.1 Basic SSL Concepts

To understand how MySQL uses SSL, it's necessary to explain some basic SSL and X509 concepts. People who are already familiar with them can skip this part.

By default, MySQL uses unencrypted connections between the client and the server. This means that someone with access to the network could watch all your traffic and look at the data being sent or received. They could even change the data while it is in transit between client and server. To improve security a little, you can compress client/server traffic by using the --compress option when invoking client programs. However, this will not foil a determined attacker.

When you need to move information over a network in a secure fashion, an unencrypted connection is unacceptable. Encryption is the way to make any kind of data unreadable. In fact, today's practice requires many additional security elements from encryption algorithms. They should resist many kind of known attacks such as changing the order of encrypted messages or replaying data twice.

SSL is a protocol that uses different encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect any data change, loss, or replay. SSL also incorporates algorithms that provide identity verification using the X509 standard.

X509 makes it possible to identify someone on the Internet. It is most commonly used in e-commerce applications. In basic terms, there should be some company called a ``Certificate Authority'' (or CA) that assigns electronic certificates to anyone who needs them. Certificates rely on asymmetric encryption algorithms that have two encryption keys (a public key and a secret key). A certificate owner can show the certificate to another party as proof of identity. A certificate consists of its owner's public key. Any data encrypted with this public key can be decrypted only using the corresponding secret key, which is held by the owner of the certificate.

If you need more information about SSL, X509, or encryption, use your favorite Internet search engine to search for keywords in which you are interested.

5.5.8.2 Requirements

To use SSL connections between the MySQL server and client programs, your system must be able to support OpenSSL and your version of MySQL must be 4.0.0 or newer.

To get secure connections to work with MySQL, you must do the following:

  1. Install the OpenSSL library. We have tested MySQL with OpenSSL 0.9.6. If you need OpenSSL, visit http://www.openssl.org.
  2. When you configure MySQL, run the configure script with the --with-vio and --with-openssl options.
  3. Make sure you have upgraded your grant tables to include the SSL-related columns in the mysql.user table. This is necessary if your grant tables date from a version prior to MySQL 4.0.0. The upgrade procedure is described in section 2.5.8 Upgrading the Grant Tables.
  4. To check whether a running mysqld server supports OpenSSL, examine the value of the have_openssl system variable:
    mysql> SHOW VARIABLES LIKE 'have_openssl';
    +---------------+-------+
    | Variable_name | Value |
    +---------------+-------+
    | have_openssl  | YES   |
    +---------------+-------+
    
    If the value is YES, the server supports OpenSSL connections.

5.5.8.3 Setting Up SSL Certificates for MySQL

Here is an example for setting up SSL certificates for MySQL:

DIR=`pwd`/openssl
PRIV=$DIR/private

mkdir $DIR $PRIV $DIR/newcerts
cp /usr/share/ssl/openssl.cnf $DIR
replace ./demoCA $DIR -- $DIR/openssl.cnf

# Create necessary files: $database, $serial and $new_certs_dir 
# directory (optional)

touch $DIR/index.txt
echo "01" > $DIR/serial

#
# Generation of Certificate Authority(CA)
#

openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/cacert.pem \
    -config $DIR/openssl.cnf

# Sample output:
# Using configuration from /home/monty/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ................++++++
# .........++++++
# writing new private key to '/home/monty/openssl/private/cakey.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL admin
# Email Address []:

#
# Create server request and key
#
openssl req -new -keyout $DIR/server-key.pem -out \
    $DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf

# Sample output:
# Using configuration from /home/monty/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ..++++++
# ..........++++++
# writing new private key to '/home/monty/openssl/server-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL server
# Email Address []:
# 
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:

#
# Remove the passphrase from the key (optional)
#

openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem

#
# Sign server cert
#
openssl ca  -policy policy_anything -out $DIR/server-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/server-req.pem

# Sample output:
# Using configuration from /home/monty/openssl/openssl.cnf
# Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName           :PRINTABLE:'FI'
# organizationName      :PRINTABLE:'MySQL AB'
# commonName            :PRINTABLE:'MySQL admin'
# Certificate is to be certified until Sep 13 14:22:46 2003 GMT (365 days)
# Sign the certificate? [y/n]:y
# 
# 
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated

#
# Create client request and key
#
openssl req -new -keyout $DIR/client-key.pem -out \
    $DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf

# Sample output:
# Using configuration from /home/monty/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# .....................................++++++
# .............................................++++++
# writing new private key to '/home/monty/openssl/client-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL user
# Email Address []:
# 
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:

#
# Remove a passphrase from the key (optional)
#
openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem

#
# Sign client cert
#

openssl ca  -policy policy_anything -out $DIR/client-cert.pem \
    -config $DIR/openssl.cnf -infiles $DIR/client-req.pem

# Sample output:
# Using configuration from /home/monty/openssl/openssl.cnf
# Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName           :PRINTABLE:'FI'
# organizationName      :PRINTABLE:'MySQL AB'
# commonName            :PRINTABLE:'MySQL user'
# Certificate is to be certified until Sep 13 16:45:17 2003 GMT (365 days)
# Sign the certificate? [y/n]:y
# 
# 
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated

#
# Create a my.cnf file that you can use to test the certificates
#

cnf=""
cnf="$cnf [client]"
cnf="$cnf ssl-ca=$DIR/cacert.pem"
cnf="$cnf ssl-cert=$DIR/client-cert.pem"
cnf="$cnf ssl-key=$DIR/client-key.pem"
cnf="$cnf [mysqld]"
cnf="$cnf ssl-ca=$DIR/cacert.pem"
cnf="$cnf ssl-cert=$DIR/server-cert.pem"
cnf="$cnf ssl-key=$DIR/server-key.pem"
echo $cnf | replace " " '
' > $DIR/my.cnf

To test SSL connections, start the server as follows, where $DIR is the pathname to the directory where the sample `my.cnf' option file is located:

shell> mysqld --defaults-file=$DIR/my.cnf &

Then invoke a client program using the same option file:

shell> mysql --defaults-file=$DIR/my.cnf

If you have a MySQL source distribution, you can also test your setup by modifying the preceding `my.cnf' file to refer to the demonstration certificate and key files in the `SSL' directory of the distribution.

5.5.8.4 SSL GRANT Options

MySQL can check X509 certificate attributes in addition to the usual authentication that is based on the username and password. To specify SSL-related options for a MySQL account, use the REQUIRE clause of the GRANT statement.

There are different possibilities for limiting connection types for an account:

  • If an account has no SSL or X509 requirements, unencrypted connections are allowed if the username and password are valid. However, encrypted connections also can be used at the client's option, if the client has the proper certificate and key files.
  • REQUIRE SSL option limits the server to allow only SSL encrypted connections for the account. Note that this option can be omitted if there are any ACL records that allow non-SSL connections.
    mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
        -> IDENTIFIED BY 'goodsecret' REQUIRE SSL;
    
  • REQUIRE X509 means that the client must have a valid certificate but that the exact certificate, issuer, and subject do not matter. The only requirement is that it should be possible to verify its signature with one of the CA certificates.
    mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
        -> IDENTIFIED BY 'goodsecret' REQUIRE X509;
    
  • REQUIRE ISSUER 'issuer' places the restriction on connection attempts that the client must present a valid X509 certificate issued by CA 'issuer'. If the client presents a certificate that is valid but has a different issuer, the server rejects the connection. Use of X509 certificates always implies encryption, so the SSL option is unneccessary.
    mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
        -> IDENTIFIED BY 'goodsecret'
        -> REQUIRE ISSUER '/C=FI/ST=Some-State/L=Helsinki/
           O=MySQL Finland AB/CN=Tonu Samuel/Email=tonu@example.com';
    
    Note that the ISSUER value should be entered as a single string.
  • REQUIRE SUBJECT 'subject' places the restriction on connection attempts that the client must present a valid X509 certificate with subject 'subject' on it. If the client presents a certificate that is valid but has a different subject, the server rejects the connection.
    mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
        -> IDENTIFIED BY 'goodsecret'
        -> REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
           O=MySQL demo client certificate/
           CN=Tonu Samuel/Email=tonu@example.com';
    
    Note that the SUBJECT value should be entered as a single string.
  • REQUIRE CIPHER 'cipher' is needed to ensure that strong enough ciphers and key lengths will be used. SSL itself can be weak if old algorithms with short encryption keys are used. Using this option, we can ask for some exact cipher method to allow a connection.
    mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
        -> IDENTIFIED BY 'goodsecret'
        -> REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';
    

The SUBJECT, ISSUER, and CIPHER options can be combined in the REQUIRE clause like this:

mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
    -> IDENTIFIED BY 'goodsecret'
    -> REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
       O=MySQL demo client certificate/
       CN=Tonu Samuel/Email=tonu@example.com'
    -> AND ISSUER '/C=FI/ST=Some-State/L=Helsinki/
       O=MySQL Finland AB/CN=Tonu Samuel/Email=tonu@example.com'
    -> AND CIPHER 'EDH-RSA-DES-CBC3-SHA';

Note that the SUBJECT and ISSUER values each should be entered as a single string.

Starting from MySQL 4.0.4, the AND keyword is optional between REQUIRE options.

The order of the options does not matter, but no option can be specified twice.

5.5.8.5 SSL Command-line Options

The following list describes options that are used for specifying the use of SSL, certificate files, and key files. These options are available beginning with MySQL 4.0. They may be given on the command line or in an option file.

--ssl
For the server, this option specifies that the server allows SSL connections. For a client program, it allows the client to connect to the server using SSL. This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the --ssl-ca, --ssl-cert, and --ssl-key options. This option is more often used in its opposite form to indicate that SSL should not be used. To do this, specify the option as --skip-ssl or --ssl=0. Note that use of --ssl doesn't require an SSL connection. For example, if the server or client are compiled without SSL support, a normal unencrypted connection will be used. The secure way to ensure that a SSL connection will be used is to create an account on the server that includes a REQUIRE SSL clause in the GRANT statement. Then use this account to connect to the server, with both a server and client that have SSL support enabled.
--ssl-ca=file_name
The path to a file with a list of trusted SSL CAs.
--ssl-capath=directory_name
The path to a directory that contains trusted SSL CA certificates in pem format.
--ssl-cert=file_name
The name of the SSL certificate file to use for establishing a secure connection.
--ssl-cipher=cipher_list
A list of allowable ciphers to use for SSL encryption. cipher_list has the same format as the openssl ciphers command. Example: --ssl-cipher=ALL:-AES:-EXP
--ssl-key=file_name
The name of the SSL key file to use for establishing a secure connection.

5.5.8.6 Connecting to MySQL Remotely from Windows with SSH

Here is a note about how to connect to get a secure connection to remote MySQL server with SSH (by David Carlson dcarlson@mplcomm.com):

  1. Install an SSH client on your Windows machine. As a user, the best non-free one I've found is from SecureCRT from http://www.vandyke.com/. Another option is f-secure from http://www.f-secure.com/. You can also find some free ones on Google at http://directory.google.com/Top/Computers/Security/Products_and_Tools/Cryptography/SSH/Clients/Windows/.
  2. Start your Windows SSH client. Set Host_Name = yourmysqlserver_URL_or_IP. Set userid=your_userid to log in to your server. This userid value may not be the same as the username of your MySQL account.
  3. Set up port forwarding. Either do a remote forward (Set local_port: 3306, remote_host: yourmysqlservername_or_ip, remote_port: 3306 ) or a local forward (Set port: 3306, host: localhost, remote port: 3306).
  4. Save everything, otherwise you'll have to redo it the next time.
  5. Log in to your server with the SSH session you just created.
  6. On your Windows machine, start some ODBC application (such as Access).
  7. Create a new file in Windows and link to MySQL using the ODBC driver the same way you normally do, except type in localhost for the MySQL host server--not yourmysqlservername.

You should now have an ODBC connection to MySQL, encrypted using SSH.

5.6 Disaster Prevention and Recovery

This section discusses how to make database backups and how to perform table maintenance. The syntax of the SQL statements described here is given in section 14.5 Database Administration Statements.

5.6.1 Database Backups

Because MySQL tables are stored as files, it is easy to do a backup. To get a consistent backup, do a LOCK TABLES on the relevant tables, followed by FLUSH TABLES for the tables. See section 14.4.5 LOCK TABLES and UNLOCK TABLES Syntax. See section 14.5.4.2 FLUSH Syntax. You only need a read lock; this allows other clients to continue to query the tables while you are making a copy of the files in the database directory. The FLUSH TABLES statement is needed to ensure that the all active index pages are written to disk before you start the backup.

If you want to make an SQL level backup of a table, you can use SELECT INTO ... OUTFILE or BACKUP TABLE. For SELECT INTO ... OUTFILE, the output file cannot already exist. For BACKUP TABLE, the same is true as of MySQL 3.23.56 and 4.0.12, because this would be a security risk. See section 14.1.7 SELECT Syntax. See section 14.5.2.2 BACKUP TABLE Syntax.

Another way to back up a database is to use the mysqldump program or the mysqlhotcopy script. See section 8.8 The mysqldump Database Backup Program. See section 8.9 The mysqlhotcopy Database Backup Program.

  1. Do a full backup of your database:
    shell> mysqldump --tab=/path/to/some/dir --opt db_name
    
    Or:
    shell> mysqlhotcopy db_name /path/to/some/dir
    
    You can also simply copy all table files (`*.frm', `*.MYD', and `*.MYI' files) as long as the server isn't updating anything. The mysqlhotcopy script uses this method. (But note that these methods will not work if your database contains InnoDB tables. InnoDB does not store table contents in database directories, and mysqlhotcopy works only for MyISAM and ISAM tables.)
  2. Stop mysqld if it's running, then start it with the --log-bin[=file_name] option. See section 5.8.4 The Binary Log. The binary log files provide you with the information you need to replicate changes to the database that are made subsequent to the point at which you executed mysqldump.

If your MySQL server is a slave replication server, then regardless of the backup method you choose, you should also backup the `master.info' and `relay-log.info' files when you backup your slave's data. These files are always needed to resume replication after you restore the slave's data. If your slave is subject to replicating LOAD DATA INFILE commands, you should also back up any `SQL_LOAD-*' files that may exist in the directory specified by the --slave-load-tmpdir option. (This location defaults to the value of the tmpdir variable if not specified.) The slave needs these files to resume replication of any interrupted LOAD DATA INFILE operations.

If you have to restore something, try to recover your tables using REPAIR TABLE or myisamchk -r first. That should work in 99.9% of all cases. If myisamchk fails, try the following procedure. Note that it will work only if you have enabled binary logging by starting MySQL with the --log-bin option; see section 5.8.4 The Binary Log.

  1. Restore the original mysqldump backup, or binary backup.
  2. Execute the following command to re-run the updates in the binary logs:
    shell> mysqlbinlog hostname-bin.[0-9]* | mysql
    
    In your case you may want to re-run only certain binary logs, from certain positions (usually you want to re-run all binary logs from the date of the restored backup, excepting possibly some incorrect queries). See section 8.5 The mysqlbinlog Binary Log Utility for more information on the mysqlbinlog utility and how to use it. If you are using the update logs instead, you can process their contents like this:
    shell> ls -1 -t -r hostname.[0-9]* | xargs cat | mysql
    
    ls is used to sort the update log filenames into the right order.

You can also do selective backups of individual files:

  • To dump the table, use SELECT * INTO OUTFILE 'file_name' FROM tbl_name.
  • To reload the table, use and restore with LOAD DATA INFILE 'file_name' REPLACE ... To avoid duplicate records, the table must have a PRIMARY KEY or a UNIQUE index. The REPLACE keyword causes old records to be replaced with new ones when a new record duplicates an old record on a unique key value.

If you have performance problems with your server while making backups, one strategy that can help is to set up replication and perform backups on the slave rather than on the master. See section 6.1 Introduction to Replication.

If you are using a Veritas filesystem, you can make a backup like this:

  1. From a client program, execute: FLUSH TABLES WITH READ LOCK.
  2. From another shell, execute: mount vxfs snapshot.
  3. From the first client, execute: UNLOCK TABLES.
  4. Copy files from the snapshot.
  5. Unmount the snapshot.

5.6.2 Using myisamchk for Table Maintenance and Crash Recovery

The following text discusses how to use myisamchk to check or repair MyISAM tables (tables with `.MYI' and `.MYD' files). The same concepts apply to using isamchk to check or repair ISAM tables (tables with `.ISM' and `.ISD' files). See section 15 MySQL Storage Engines and Table Types.

You can use the myisamchk utility to get information about your database tables or to check, repair, or optimize them. The following sections describe how to invoke myisamchk (including a description of its options), how to set up a table maintenance schedule, and how to use myisamchk to perform its various functions.

Note that even though table repair with myisamchk is quite secure, it's always a good idea to make a backup before doing a repair (or any maintenance operation that could make a lot of changes to a table)

An alternative to using myisamchk for checking or repairing MyISAM tables is to use the CHECK TABLE or REPAIR TABLE statements, which are available as of MySQL 3.23.13. See section 14.5.2.3 CHECK TABLE Syntax and section 14.5.2.6 REPAIR TABLE Syntax.

In most cases, you can also use the OPTIMIZE TABLES statement to optimize and repair tables, but this is not as fast or reliable (in case of really serious problems) as myisamchk. On the other hand, OPTIMIZE TABLE is easier to use and you don't have to worry about flushing tables. See section 14.5.2.5 OPTIMIZE TABLE Syntax.

The mysqlcheck client program provides a command-line interface to the CHECK TABLE, REPAIR TABLE, and OPTIMIZE TABLE statements.

5.6.2.1 myisamchk Invocation Syntax

Invoke myisamchk like this:

shell> myisamchk [options] tbl_name

The options specify what you want myisamchk to do. They are described in the following sections. You can also get a list of options by invoking myisamchk --help.

With no options, myisamchk simply checks your table as the default operation. To get more information or to tell myisamchk to take corrective action, specify options as described in the following discussion.

tbl_name is the database table you want to check or repair. If you run myisamchk somewhere other than in the database directory, you must specify the path to the database directory, because myisamchk has no idea where the database is located. In fact myisamchk doesn't actually care whether the files you are working on are located in a database directory. You can copy the files that correspond to a database table into some other location and perform recovery operations on them there.

You can name several tables on the myisamchk command line if you wish. You can also specify a table by naming its index file (the file with the `.MYI' suffix). This allows you to specify all tables in a directory by using the pattern `*.MYI'. For example, if you are in a database directory, you can check all the MyISAM tables in that directory like this:

shell> myisamchk *.MYI

If you are not in the database directory, you can check all the tables there by specifying the path to the directory:

shell> myisamchk /path/to/database_dir/*.MYI

You can even check all tables in all databases by specifying a wildcard with the path to the MySQL data directory:

shell> myisamchk /path/to/datadir/*/*.MYI

The recommended way to quickly check all MyISAM and ISAM tables is:

shell> myisamchk --silent --fast /path/to/datadir/*/*.MYI
shell> isamchk --silent /path/to/datadir/*/*.ISM

If you want to check all MyISAM and ISAM tables and repair any that are corrupted, you can use the following commands:

shell> myisamchk --silent --force --fast --update-state \
          -O key_buffer=64M -O sort_buffer=64M \
          -O read_buffer=1M -O write_buffer=1M \
          /path/to/datadir/*/*.MYI
shell> isamchk --silent --force -O key_buffer=64M \
          -O sort_buffer=64M -O read_buffer=1M -O write_buffer=1M \
          /path/to/datadir/*/*.ISM

These commands assume that you have more than 64MB free. For more information about memory allocation with myisamchk, see section 5.6.2.6 myisamchk Memory Usage.

You must ensure that no other program is using the tables while you are running myisamchk.

When you run myisamchk, it may display the following error message:

warning: clients are using or haven't closed the table properly

This means that you are trying to check a table that has been updated by another program (like the mysqld server) that hasn't yet closed the file or that has died without closing the file properly.

If mysqld is running, you must force it to flush any table modifications that are still buffered in memory by using FLUSH TABLES. You should then ensure that no one is using the tables while you are running myisamchk. In MySQL Version 3.23, the easiest way to avoid this problem is to use CHECK TABLE instead of myisamchk to check tables.

5.6.2.2 General Options for myisamchk

The options described in this section can be used for any type of table maintenance operation performed by myisamchk. The sections following this one describe options that pertain only to specific operations, such as table checking or repairing.

--help, -?
Display a help message and exit.
--debug=debug_options, -# debug_options
Write a debugging log. The debug_options string often is 'd:t:o,filename'.
--silent, -s
Silent mode. Write output only when errors occur. You can use -s twice (-ss) to make myisamchk very silent.
--verbose, -v
Verbose mode. Print more information. This can be used with -d and -e. Use -v multiple times (-vv, -vvv) for even more output.
--version, -V
Display version information and exit.
--wait, -w
Instead of terminating with an error if the table is locked, wait until the table is unlocked before continuing. Note that if you are running mysqld with the --skip-external-locking option, the table can only be locked by another myisamchk command.

You can also set the following variables by using --var_name=value options:

Variable Default Value
key_buffer_size 523264
read_buffer_size 262136
write_buffer_size 262136
sort_buffer_size 2097144
sort_key_blocks 16
decode_bits 9

It is also possible to set variables by using --set-variable=var_name=value or -O var_name=value syntax. However, this syntax is deprecated as of MySQL 4.0.

The possible myisamchk variables and their default values can be examined with myisamchk --help:

sort_buffer_size is used when the keys are repaired by sorting keys, which is the normal case when you use --recover.

key_buffer_size is used when you are checking the table with --extend-check or when the keys are repaired by inserting keys row by row into the table (like when doing normal inserts). Repairing through the key buffer is used in the following cases:

  • If you use --safe-recover.
  • If the temporary files needed to sort the keys would be more than twice as big as when creating the key file directly. This is often the case when you have large key values for CHAR, VARCHAR, or TEXT columns, because the sort operation needs to store the complete key values as it proceeds. If you have lots of temporary space and you can force myisamchk to repair by sorting, you can use the --sort-recover option.

Repairing through the key buffer takes much less disk space than using sorting, but is also much slower.

If you want a faster repair, set the key_buffer_size and sort_buffer_size variables to about 25% of your available memory. You can set both variables to large values, because only one of them is used at a time.

5.6.2.3 Check Options for myisamchk

myisamchk supports the following options for table checking operations:

--check, -c
Check the table for errors. This is the default operation if you specify no option that selects an operation type explicitly.
--check-only-changed, -C
Check only tables that have changed since the last check.
--extend-check, -e
Check the table very thoroughly. This is quite slow if the table has many indexes. This option should only be used in extreme cases. Normally, myisamchk or myisamchk --medium-check should be able to determine whether there are any errors in the table. If you are using --extend-check and have plenty of memory, setting the key_buffer_size variable to a large value will help the repair operation run faster.
--fast, -F
Check only tables that haven't been closed properly.
--force, -f
Do a repair operation automatically if myisamchk finds any errors in the table. The repair type is the same as that specified with the --repair or -r option.
--information, -i
Print informational statistics about the table that is checked.
--medium-check, -m
Do a check that is faster than an --extend-check operation. This finds only 99.99% of all errors, which should be good enough in most cases.
--read-only, -T
Don't mark the table as checked. This is useful if you use myisamchk to check a table that is in use by some other application that doesn't use locking, such as mysqld when run with the --skip-external-locking option.
--update-state, -U
Store information in the `.MYI' file to indicate when the table was checked and whether the table crashed. This should be used to get full benefit of the --check-only-changed option, but you shouldn't use this option if the mysqld server is using the table and you are running it with the --skip-external-locking option.

5.6.2.4 Repair Options for myisamchk

myisamchk supports the following options for table repair operations:

--backup, -B
Make a backup of the `.MYD' file as `filename-time.BAK'
--character-sets-dir=path
The directory where character sets are installed. See section 5.7.1 The Character Set Used for Data and Sorting.
--correct-checksum
Correct the checksum information for the table.
--data-file-length=#, -D #
Maximum length of the datafile (when re-creating datafile when it's ``full'').
--extend-check, -e
Do a repair that tries to to recover every possible row from the datafile. Normally this will also find a lot of garbage rows. Don't use this option unless you are totally desperate.
--force, -f
Overwrite old temporary files (files with names like `tbl_name.TMD') instead of aborting.
--keys-used=#, -k #
For myisamchk, the option value indicates which indexes to update. Each binary bit of the option value corresponds to a table index, where the first index is bit 0. For isamchk, the option value indicates that only the first # of the table indexes should be updated. In either case, an option value of 0 disables updates to all indexes, which can be used to get faster inserts. Deactivated indexes can be reactivated by using myisamchk -r or (isamchk -r).
--no-symlinks, -l
Do not follow symbolic links. Normally myisamchk repairs the table a symlink points to. This option doesn't exist as of MySQL 4.0, because versions from 4.0 on will not remove symlinks during repair operations.
--parallel-recover, -p
Uses the same technique as -r and -n, but creates all the keys in parallel, using different threads. This option was added in MySQL 4.0.2. This is alpha code. Use at your own risk!
--quick, -q
Achieve a faster repair by not modifying the datafile. You can specify this option twice to force myisamchk to modify the original datafile in case of duplicate keys.
--recover, -r
Do a repair that can fix almost any problem except unique keys that aren't unique (which is an extremely unlikely error with ISAM/MyISAM tables). If you want to recover a table, this is the option to try first. You should try -o only if myisamchk reports that the table can't be recovered by -r. (Note that in the unlikely case that -r fails, the datafile is still intact.) If you have lots of memory, you should increase the value of sort_buffer_size.
--safe-recover, -o
Do a repair using an old recovery method that reads through all rows in order and updates all index trees based on the rows found. This is an order of magnitude slower than -r, but can handle a couple of very unlikely cases that -r cannot. This recovery method also uses much less disk space than -r. Normally, you should repair first with -r, and then with -o only if -r fails. If you have lots of memory, you should increase the value of key_buffer_size.
--set-character-set=name
Change the character set used by the table indexes.
--sort-recover, -n
Force myisamchk to use sorting to resolve the keys even if the temporary files should be very big.
--tmpdir=path, -t path
Path of the directory to be used for storing temporary files. If this is not set, myisamchk uses the value of the TMPDIR environment variable. Starting from MySQL 4.1, tmpdir can be set to a list of directory paths that will be used successively in in round-robin fashion for creating temporary files. The separator character between directory names should be colon (`:') on Unix and semicolon (`;') on Windows, NetWare, and OS/2.
--unpack, -u
Unpack a table that was packed with myisampack.

5.6.2.5 Other Options for myisamchk

myisamchk supports the following options for actions other than table checks and repairs:

--analyze, -a
Analyze the distribution of keys. This improves join performance by enabling the join optimizer to better choose the order in which to join the tables and which keys it should use. To obtain information about the distribution, use a myisamchk --description --verbose tbl_name command or the SHOW KEYS FROM tbl_name statement.
--description, -d
Prints some descriptive information about the table.
--set-auto-increment[=value], -A[value]
Force AUTO_INCREMENT numbering for new records to start at the given value (or higher, if there are already records with AUTO_INCREMENT values this large). If value is not specified, AUTO_INCREMENT number for new records begins with the largest value currently in the table, plus one.
--sort-index, -S
Sort the index tree blocks in high-low order. This optimizes seeks and makes table scanning by key faster.
--sort-records=#, -R #
Sorts records according to a particular index. This makes your data much more localized and may speed up range-based SELECT and ORDER BY operations that use this index. (The first time you use this option to sort a table, it may be very slow.) To determine a table's index numbers, use SHOW KEYS, which displays a table's indexes in the same order that myisamchk sees them. Indexes are numbered beginning with 1.

5.6.2.6 myisamchk Memory Usage

Memory allocation is important when you run myisamchk. myisamchk uses no more memory than you specify with the -O options. If you are going to use myisamchk on very large tables, you should first decide how much memory you want it to use. The default is to use only about 3MB to perform repairs. By using larger values, you can get myisamchk to operate faster. For example, if you have more than 32MB RAM, you could use options such as these (in addition to any other options you might specify):

shell> myisamchk -O sort=16M -O key=16M -O read=1M -O write=1M ...

Using -O sort=16M should probably be enough for most cases.

Be aware that myisamchk uses temporary files in TMPDIR. If TMPDIR points to a memory filesystem, you may easily get out of memory errors. If this happens, set TMPDIR to point at some directory located on a filesystem with more space and run myisamchk again.

When repairing, myisamchk will also need a lot of disk space:

  • Double the size of the record file (the original one and a copy). This space is not needed if you do a repair with --quick; in this case, only the index file is re-created. This space is needed on the same filesystem as the original record file! (The copy is created in the same directory as the original.)
  • Space for the new index file that replaces the old one. The old index file is truncated at the start of the repair operation, so you usually ignore this space. This space is needed on the same filesystem as the original index file!
  • When using --recover or --sort-recover (but not when using --safe-recover), you will need space for a sort buffer. The amount of space required is:
    (largest_key + row_pointer_length) * number_of_rows * 2
    
    You can check the length of the keys and the row_pointer_length with myisamchk -dv tbl_name. This space is allocated in the temporary directory (specified by TMPDIR or --tmpdir=#).

If you have a problem with disk space during repair, you can try to use --safe-recover instead of --recover.

5.6.2.7 Using myisamchk for Crash Recovery

If you run mysqld with --skip-external-locking (which is the default on some systems, like Linux), you can't reliably use myisamchk to check a table when mysqld is using the same table. If you can be sure that no one is accessing the tables through mysqld while you run myisamchk, you only have to do mysqladmin flush-tables before you start checking the tables. If you can't guarantee this, then you must stop mysqld while you check the tables. If you run myisamchk while mysqld is updating the tables, you may get a warning that a table is corrupt even when it isn't.

If you are not using --skip-external-locking, you can use myisamchk to check tables at any time. While you do this, all clients that try to update the table will wait until myisamchk is ready before continuing.

If you use myisamchk to repair or optimize tables, you must always ensure that the mysqld server is not using the table (this also applies if you are using --skip-external-locking). If you don't take down mysqld you should at least do a mysqladmin flush-tables before you run myisamchk. Your tables may become corrupted if the server and myisamchk access the tables simultaneously.

This section describes how to check for and deal with data corruption in MySQL databases. If your tables get corrupted frequently you should try to find the reason why. See section A.4.1 What to Do if MySQL Keeps Crashing.

The MyISAM table section contains reason for why a table could be corrupted. See section 15.1.4 MyISAM Table Problems.

When performing crash recovery, it is important to understand that each table tbl_name in a database corresponds to three files in the database directory:

File Purpose
`tbl_name.frm' Definition (format) file
`tbl_name.MYD' Datafile
`tbl_name.MYI' Index file

Each of these three file types is subject to corruption in various ways, but problems occur most often in datafiles and index files.

myisamchk works by creating a copy of the `.MYD' datafile row by row. It ends the repair stage by removing the old `.MYD' file and renaming the new file to the original file name. If you use --quick, myisamchk does not create a temporary `.MYD' file, but instead assumes that the `.MYD' file is correct and only generates a new index file without touching the `.MYD' file. This is safe, because myisamchk automatically detects whether the `.MYD' file is corrupt and aborts the repair if it is. You can also specify the --quick option twice to myisamchk. In this case, myisamchk does not abort on some errors (such as duplicate-key errors) but instead tries to resolve them by modifying the `.MYD' file. Normally the use of two --quick options is useful only if you have too little free disk space to perform a normal repair. In this case, you should at least make a backup before running myisamchk.

5.6.2.8 How to Check MyISAM Tables for Errors

To check a MyISAM table, use the following commands:

myisamchk tbl_name
This finds 99.99% of all errors. What it can't find is corruption that involves only the datafile (which is very unusual). If you want to check a table, you should normally run myisamchk without options or with either the -s or --silent option.
myisamchk -m tbl_name
This finds 99.999% of all errors. It first checks all index entries for errors and then reads through all rows. It calculates a checksum for all keys in the rows and verifies that the checksum matches the checksum for the keys in the index tree.
myisamchk -e tbl_name
This does a complete and thorough check of all data (-e means ``extended check''). It does a check-read of every key for each row to verify that they indeed point to the correct row. This may take a long time for a large table that has many indexes. Normally, myisamchk stops after the first error it finds. If you want to obtain more information, you can add the --verbose (-v) option. This causes myisamchk to keep going, up through a maximum of 20 errors.
myisamchk -e -i tbl_name
Like the previous command, but the -i option tells myisamchk to print some informational statistics, too.

In most cases, a simple myisamchk with no arguments other than the table name is sufficient to check a table.

5.6.2.9 How to Repair Tables

The discussion in this section describes how to use myisamchk on MyISAM tables (extensions `.MYI' and `.MYD'). If you are using ISAM tables (extensions `.ISM' and `.ISD'), you should use isamchk instead; the concepts are similar.

Starting with MySQL Version 3.23.14, you can repair MyISAM tables with the REPAIR TABLE command. See section 14.5.2.6 REPAIR TABLE Syntax.

The symptoms of a corrupted table include queries that abort unexpectedly and observable errors such as these:

  • `tbl_name.frm' is locked against change
  • Can't find file `tbl_name.MYI' (Errcode: ###)
  • Unexpected end of file
  • Record file is crashed
  • Got error ### from table handler

To get more information about the error you can run perror ###, where ### is the error number. The following example shows how to use perror to find the meanings for the most common error numbers that indicate a problem with a table:

shell> perror 126 127 132 134 135 136 141 144 145
126 = Index file is crashed / Wrong file format
127 = Record-file is crashed
132 = Old database file
134 = Record was already deleted (or record file crashed)
135 = No more room in record file
136 = No more room in index file
141 = Duplicate unique key or constraint on write or update
144 = Table is crashed and last repair failed
145 = Table was marked as crashed and should be repaired

Note that error 135 (no more room in record file), is not an error that can be fixed by a simple repair. In this case you have to use ALTER TABLE to increase the MAX_ROWS and AVG_ROW_LENGTH table option values:

ALTER TABLE tbl_name MAX_ROWS=xxx AVG_ROW_LENGTH=yyy;

If you don't know the current table option values, use SHOW CREATE TABLE tbl_name.

You can also use this technique for error 136 (no more room in index file).

For the other errors, you must repair your tables. myisamchk can usually detect and fix most problems that occur.

The repair process involves up to four stages, described here. Before you begin, you should cd to the database directory and check the permissions of the table files. Make sure they are readable by the Unix user that mysqld runs as (and to you, because you need to access the files you are checking). If it turns out you need to modify files, they must also be writable by you.

If you are using MySQL Version 3.23.16 and above, you can (and should) use the CHECK and REPAIR commands to check and repair MyISAM tables. See section 14.5.2.3 CHECK TABLE Syntax and section 14.5.2.6 REPAIR TABLE Syntax.

The options that you can use for table maintenance with myisamchk and isamchk are described in several of the earlier subsections of section 5.6.2 Using myisamchk for Table Maintenance and Crash Recovery.

The following section is for the cases where the above command fails or if you want to use the extended features that myisamchk and isamchk provide.

If you are going to repair a table from the command line, you must first stop the mysqld server. Note that when you do mysqladmin shutdown on a remote server, the mysqld server will still be alive for a while after mysqladmin returns, until all queries are stopped and all keys have been flushed to disk.

Stage 1: Checking your tables

Run myisamchk *.MYI or myisamchk -e *.MYI if you have more time. Use the -s (silent) option to suppress unnecessary information.

If the mysqld server is down, you should use the --update-state option to tell myisamchk to mark the table as 'checked'.

You have to repair only those tables for which myisamchk announces an error. For such tables, proceed to Stage 2.

If you get weird errors when checking (such as out of memory errors), or if myisamchk crashes, go to Stage 3.

Stage 2: Easy safe repair

Note: If you want a repair operation to go much faster, you should set the values of the sort_buffer_size and key_buffer_size variables each to about 25% of your available memory when running myisamchk or isamchk.

First, try myisamchk -r -q tbl_name (-r -q means ``quick recovery mode''). This will attempt to repair the index file without touching the datafile. If the datafile contains everything that it should and the delete links point at the correct locations within the datafile, this should work, and the table is fixed. Start repairing the next table. Otherwise, use the following procedure:

  1. Make a backup of the datafile before continuing.
  2. Use myisamchk -r tbl_name (-r means ``recovery mode''). This will remove incorrect records and deleted records from the datafile and reconstruct the index file.
  3. If the preceding step fails, use myisamchk --safe-recover tbl_name. Safe recovery mode uses an old recovery method that handles a few cases that regular recovery mode doesn't (but is slower).

If you get weird errors when repairing (such as out of memory errors), or if myisamchk crashes, go to Stage 3.

Stage 3: Difficult repair

You should only reach this stage if the first 16KB block in the index file is destroyed or contains incorrect information, or if the index file is missing. In this case, it's necessary to create a new index file. Do so as follows:

  1. Move the datafile to some safe place.
  2. Use the table description file to create new (empty) data and index files:
    shell> mysql db_name
    mysql> SET AUTOCOMMIT=1;
    mysql> TRUNCATE TABLE tbl_name;
    mysql> quit
    
    If your SQL version doesn't have TRUNCATE TABLE, use DELETE FROM tbl_name instead.
  3. Copy the old datafile back onto the newly created datafile. (Don't just move the old file back onto the new file; you want to retain a copy in case something goes wrong.)

Go back to Stage 2. myisamchk -r -q should work now. (This shouldn't be an endless loop.)

As of MySQL 4.0.2, you can also use REPAIR TABLE ... USE_FRM which performs the whole procedure automatically.

Stage 4: Very difficult repair

You should reach this stage only if the `.frm' description file has also crashed. That should never happen, because the description file isn't changed after the table is created:

  1. Restore the description file from a backup and go back to Stage 3. You can also restore the index file and go back to Stage 2. In the latter case, you should start with myisamchk -r.
  2. If you don't have a backup but know exactly how the table was created, create a copy of the table in another database. Remove the new datafile, then move the `.frm' description and `.MYI' index files from the other database to your crashed database. This gives you new description and index files, but leaves the `.MYD' datafile alone. Go back to Stage 2 and attempt to reconstruct the index file.

5.6.2.10 Table Optimization

To coalesce fragmented records and eliminate wasted space resulting from deleting or updating records, run myisamchk in recovery mode:

shell> myisamchk -r tbl_name

You can optimize a table in the same way by using the SQL OPTIMIZE TABLE statement. OPTIMIZE TABLE does a repair of the table and a key analysis, and also sorts the index tree to give faster key lookups. There is also no possibility of unwanted interaction between a utility and the server, because the server does all the work when you use OPTIMIZE TABLE. See section 14.5.2.5 OPTIMIZE TABLE Syntax.

myisamchk also has a number of other options you can use to improve the performance of a table:

  • -S, --sort-index
  • -R index_num, --sort-records=index_num
  • -a, --analyze

For a full description of the options, see section 5.6.2.1 myisamchk Invocation Syntax.

5.6.3 Setting Up a Table Maintenance Regimen

It is a good idea to perform table checks on a regular basis rather than waiting for problems to occur. One way to check and repair MyISAM tables is with the CHECK TABLE and REPAIR TABLE statements. These are available starting with MySQL Version 3.23.13. See section 14.5.2.3 CHECK TABLE Syntax and section 14.5.2.6 REPAIR TABLE Syntax.

Another way to check tables is to use myisamchk. For maintenance purposes, you can use myisamchk -s. The -s option (short for --silent) causes myisamchk to run in silent mode, printing messages only when errors occur.

It's also a good idea to check tables when the server starts. For example, whenever the machine has done a restart in the middle of an update, you usually need to check all the tables that could have been affected. (This is an ``expected crashed table''.) You could add a test to mysqld_safe that runs myisamchk to check all tables that have been modified during the last 24 hours if there is an old `.pid' (process ID) file left after a restart. (The `.pid' file is created by mysqld when it starts and removed when it terminates normally. The presence of a `.pid' file at system startup time indicates that mysqld terminated abnormally.)

An even better test would be to check any table whose last-modified time is more recent than that of the `.pid' file.

You should also check your tables regularly during normal system operation. At MySQL AB, we run a cron job to check all our important tables once a week, using a line like this in a `crontab' file:

35 0 * * 0 /path/to/myisamchk --fast --silent /path/to/datadir/*/*.MYI

This prints out information about crashed tables so we can examine and repair them when needed.

As we haven't had any unexpectedly crashed tables (tables that become corrupted for reasons other than hardware trouble) for a couple of years now (this is really true), once a week is more than enough for us.

We recommend that to start with, you execute myisamchk -s each night on all tables that have been updated during the last 24 hours, until you come to trust MySQL as much as we do.

Normally you don't need to maintain MySQL tables that much. If you are changing tables with dynamic size rows (tables with VARCHAR, BLOB or TEXT columns) or have tables with many deleted rows you may want to from time to time (once a month?) defragment/reclaim space from the tables.

You can do this by using OPTIMIZE TABLE on the tables in question. If you can stop the mysqld server for a while, change location into the data directory and use this command while the server is stopped:

shell> myisamchk -r -s --sort-index  -O sort_buffer_size=16M */*.MYI

For ISAM tables, the command is similar:

shell> myisamchk -r -s --sort-index  -O sort_buffer_size=16M */*.MYI

5.6.4 Getting Information About a Table

To obtain a description of a table or statistics about it, use the commands shown here. We explain some of the information in more detail later:

  • myisamchk -d tbl_name Runs myisamchk in ``describe mode'' to produce a description of your table. If you start the MySQL server using the --skip-external-locking option, myisamchk may report an error for a table that is updated while it runs. However, because myisamchk doesn't change the table in describe mode, there is no risk of destroying data.
  • myisamchk -d -v tbl_name Adding -v runs myisamchk in verbose mode so that it produces more information about what it is doing.
  • myisamchk -eis tbl_name Shows only the most important information from a table. This operation is slow because it must read the entire table.
  • myisamchk -eiv tbl_name This is like -eis, but tells you what is being done.

Example output for some of these commands follows. They are based on a table with these data and index file sizes:

-rw-rw-r--   1 monty    tcx     317235748 Jan 12 17:30 company.MYD
-rw-rw-r--   1 davida   tcx      96482304 Jan 12 18:35 company.MYM

Example of myisamchk -d output:

MyISAM file:     company.MYI
Record format:   Fixed length
Data records:    1403698  Deleted blocks:         0
Recordlength:    226

table description:
Key Start Len Index   Type
1   2     8   unique  double
2   15    10  multip. text packed stripped
3   219   8   multip. double
4   63    10  multip. text packed stripped
5   167   2   multip. unsigned short
6   177   4   multip. unsigned long
7   155   4   multip. text
8   138   4   multip. unsigned long
9   177   4   multip. unsigned long
    193   1           text

Example of myisamchk -d -v output:

MyISAM file:         company
Record format:       Fixed length
File-version:        1
Creation time:       1999-10-30 12:12:51
Recover time:        1999-10-31 19:13:01
Status:              checked
Data records:           1403698  Deleted blocks:              0
Datafile parts:         1403698  Deleted data:                0
Datafilepointer (bytes):      3  Keyfile pointer (bytes):     3
Max datafile length: 3791650815  Max keyfile length: 4294967294
Recordlength:               226

table description:
Key Start Len Index   Type                  Rec/key     Root Blocksize
1   2     8   unique  double                      1 15845376      1024
2   15    10  multip. text packed stripped        2 25062400      1024
3   219   8   multip. double                     73 40907776      1024
4   63    10  multip. text packed stripped        5 48097280      1024
5   167   2   multip. unsigned short           4840 55200768      1024
6   177   4   multip. unsigned long            1346 65145856      1024
7   155   4   multip. text                     4995 75090944      1024
8   138   4   multip. unsigned long              87 85036032      1024
9   177   4   multip. unsigned long             178 96481280      1024
    193   1           text

Example of myisamchk -eis output:

Checking MyISAM file: company
Key:  1:  Keyblocks used:  97%  Packed:    0%  Max levels:  4
Key:  2:  Keyblocks used:  98%  Packed:   50%  Max levels:  4
Key:  3:  Keyblocks used:  97%  Packed:    0%  Max levels:  4
Key:  4:  Keyblocks used:  99%  Packed:   60%  Max levels:  3
Key:  5:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
Key:  6:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
Key:  7:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
Key:  8:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
Key:  9:  Keyblocks used:  98%  Packed:    0%  Max levels:  4
Total:    Keyblocks used:  98%  Packed:   17%

Records:          1403698    M.recordlength:     226
Packed:             0%
Recordspace used:     100%   Empty space:          0%
Blocks/Record:   1.00
Record blocks:    1403698    Delete blocks:        0
Recorddata:     317235748    Deleted data:         0
Lost space:             0    Linkdata:             0

User time 1626.51, System time 232.36
Maximum resident set size 0, Integral resident set size 0
Non physical pagefaults 0, Physical pagefaults 627, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 639, Involuntary context switches 28966

Example of myisamchk -eiv output:

Checking MyISAM file: company
Data records: 1403698   Deleted blocks:       0
- check file-size
- check delete-chain
block_size 1024:
index  1:
index  2:
index  3:
index  4:
index  5:
index  6:
index  7:
index  8:
index  9:
No recordlinks
- check index reference
- check data record references index: 1
Key:  1:  Keyblocks used:  97%  Packed:    0%  Max levels:  4
- check data record references index: 2
Key:  2:  Keyblocks used:  98%  Packed:   50%  Max levels:  4
- check data record references index: 3
Key:  3:  Keyblocks used:  97%  Packed:    0%  Max levels:  4
- check data record references index: 4
Key:  4:  Keyblocks used:  99%  Packed:   60%  Max levels:  3
- check data record references index: 5
Key:  5:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
- check data record references index: 6
Key:  6:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
- check data record references index: 7
Key:  7:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
- check data record references index: 8
Key:  8:  Keyblocks used:  99%  Packed:    0%  Max levels:  3
- check data record references index: 9
Key:  9:  Keyblocks used:  98%  Packed:    0%  Max levels:  4
Total:    Keyblocks used:   9%  Packed:   17%

- check records and index references
[LOTS OF ROW NUMBERS DELETED]

Records:         1403698   M.recordlength:   226   Packed:           0%
Recordspace used:    100%  Empty space:        0%  Blocks/Record: 1.00
Record blocks:   1403698   Delete blocks:      0
Recorddata:    317235748   Deleted data:       0
Lost space:            0   Linkdata:           0

User time 1639.63, System time 251.61
Maximum resident set size 0, Integral resident set size 0
Non physical pagefaults 0, Physical pagefaults 10580, Swaps 0
Blocks in 4 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 10604, Involuntary context switches 122798

Explanations for the types of information myisamchk produces are given here. ``Keyfile'' refers to the index file. ``Record'' and ``row'' are synonymous:

  • MyISAM file Name of the MyISAM (index) file.
  • File-version Version of MyISAM format. Currently always 2.
  • Creation time When the datafile was created.
  • Recover time When the index/datafile was last reconstructed.
  • Data records How many records are in the table.
  • Deleted blocks How many deleted blocks still have reserved space. You can optimize your table to minimize this space. See section 5.6.2.10 Table Optimization.
  • Data file parts For dynamic record format, this indicates how many data blocks there are. For an optimized table without fragmented records, this is the same as Data records.
  • Deleted data How many bytes of unreclaimed deleted data there are. You can optimize your table to minimize this space. See section 5.6.2.10 Table Optimization.
  • Data file pointer The size of the datafile pointer, in bytes. It is usually 2, 3, 4, or 5 bytes. Most tables manage with 2 bytes, but this cannot be controlled from MySQL yet. For fixed tables, this is a record address. For dynamic tables, this is a byte address.
  • Keyfile pointer The size of the index file pointer, in bytes. It is usually 1, 2, or 3 bytes. Most tables manage with 2 bytes, but this is calculated automatically by MySQL. It is always a block address.
  • Max datafile length How long the table's datafile can become, in bytes.
  • Max keyfile length How long the table's index file can become, in bytes.
  • Recordlength How much space each record takes, in bytes.
  • Record format The format used to store table rows. The preceding examples use Fixed length. Other possible values are Compressed and Packed.
  • table description A list of all keys in the table. For each key, myisamchk displays some low-level information:
    • Key This key's number.
    • Start Where in the record this index part starts.
    • Len How long this index part is. For packed numbers, this should always be the full length of the column. For strings, it may be shorter than the full length of the indexed column, because you can index a prefix of a string column.
    • Index Whether a key value can exist multiple times in the index. Values are unique or multip. (multiple).
    • Type What datatype this index part has. This is a MyISAM datatype with the options packed, stripped, or empty.
    • Root Address of the root index block.
    • Blocksize The size of each index block. By default this is 1024, but the value may be changed at compile time when MySQL is built from source.
    • Rec/key This is a statistical value used by the optimizer. It tells how many records there are per value for this key. A unique key always has a value of 1. This may be updated after a table is loaded (or greatly changed) with myisamchk -a. If this is not updated at all, a default value of 30 is given.
    For the table shown in the examples, there are two table description lines for the ninth index. This indicates that it is a multiple-part index with two parts.
  • Keyblocks used What percentage of the keyblocks are used. When a table has just been reorganized with myisamchk, as for the table in the examples, the values are very high (very near the theoretical maximum).
  • Packed MySQL tries to pack keys with a common suffix. This can only be used for indexes on CHAR, VARCHAR, or DECIMAL columns. For long indexed strings that have similar leftmost parts, this can significantly reduce the space used. In the third example above, the fourth key is 10 characters long and a 60% reduction in space is achieved.
  • Max levels How deep the B-tree for this key is. Large tables with long key values get high values.
  • Records How many rows are in the table.
  • M.recordlength The average record length. This is the exact record length for tables with fixed-length records, because all records have the same length.
  • Packed MySQL strips spaces from the end of strings. The Packed value indicates the percentage of savings achieved by doing this.
  • Recordspace used What percentage of the datafile is used.
  • Empty space What percentage of the datafile is unused.
  • Blocks/Record Average number of blocks per record (that is, how many links a fragmented record is composed of). This is always 1.0 for fixed-format tables. This value should stay as close to 1.0 as possible. If it gets too big, you can reorganize the table with myisamchk. See section 5.6.2.10 Table Optimization.
  • Recordblocks How many blocks (links) are used. For fixed format, this is the same as the number of records.
  • Deleteblocks How many blocks (links) are deleted.
  • Recorddata How many bytes in the datafile are used.
  • Deleted data How many bytes in the datafile are deleted (unused).
  • Lost space If a record is updated to a shorter length, some space is lost. This is the sum of all such losses, in bytes.
  • Linkdata When the dynamic table format is used, record fragments are linked with pointers (4 to 7 bytes each). Linkdata is the sum of the amount of storage used by all such pointers.

If a table has been compressed with myisampack, myisamchk -d prints additional information about each table column. See section 8.2 myisampack, the MySQL Compressed Read-only Table Generator, for an example of this information and a description of what it means.

5.7 MySQL Localization and International Usage

5.7.1 The Character Set Used for Data and Sorting

By default, MySQL uses the ISO-8859-1 (Latin1) character set with sorting according to Swedish/Finnish rules. These defaults are suitable for the USA and most of western Europe.

All MySQL binary distributions are compiled with --with-extra-charsets=complex. This adds code to all standard programs that enables them to handle latin1 and all multi-byte character sets within the binary. Other character sets will be loaded from a character-set definition file when needed.

The character set determines what characters are allowed in names. It also determines how strings are sorted by the ORDER BY and GROUP BY clauses of the SELECT statement.

You can change the character set with the --default-character-set option when you start the server. The character sets available depend on the --with-charset=charset and --with-extra-charsets= list-of-charset | complex | all | none options to configure, and the character set configuration files listed in `SHAREDIR/charsets/Index'. See section 2.3.2 Typical configure Options.

As of MySQL 4.1.1, you can also change the character set collation with the --default-collation option when you start the server. The collation must be a legal collation for the default character set. (Use the SHOW COLLATION statement to determine which collations are available for each character set.) See section 2.3.2 Typical configure Options.

If you change the character set when running MySQL, that may also change the sort order. Consequently, you must run myisamchk -r -q --set-character-set=charset on all tables, or your indexes may not be ordered correctly.

When a client connects to a MySQL server, the server indicates to the client what the server's default character set is. The client will switch to use this character set for this connection.

You should use mysql_real_escape_string() when escaping strings for an SQL query. mysql_real_escape_string() is identical to the old mysql_escape_string() function, except that it takes the MYSQL connection handle as the first parameter so that the appropriate character set can be taken into account when escaping characters.

If the client is compiled with different paths than where the server is installed and the user who configured MySQL didn't include all character sets in the MySQL binary, you must tell the client where it can find the additional character sets it will need if the server runs with a different character set than the client.

You can do this by specifying a --character-sets-dir option to indicate the path to the directory in which the dynamic MySQL character sets are stored. For example, you can put the following in an option file:

[client]
character-sets-dir=/usr/local/mysql/share/mysql/charsets

You can force the client to use specific character set as follows:

[client]
default-character-set=character-set-name

This is normally unnecessary, however.

5.7.1.1 Using the German Character Set

To get German sorting order, you should start mysqld with a --default-character-set=latin1_de option. This will give you the following characteristics:

  • When sorting and comparing strings, the following mapping is performed on the strings before doing the comparison:
    ä  ->  ae
    ö  ->  oe
    ü  ->  ue
    ß  ->  ss
    
  • All accented characters are converted to their unaccented uppercase counterpart. All letters are converted to uppercase.
  • When comparing strings with LIKE, the one-character to two-character mapping is not done. All letters are converted to uppercase. Accents are removed from all letters except Ü, ü, Ö, ö, Ä, and ä.

5.7.2 Setting the Error Message Language

By default, mysqld produces error messages in English, but they can also be displayed in any of these other languages: Czech, Danish, Dutch, Estonian, French, German, Greek, Hungarian, Italian, Japanese, Korean, Norwegian, Norwegian-ny, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, or Swedish.

To start mysqld with a particular language for error messages, use a the --languag or -L option. The option value can be a language name or the full path to the error message file. For example:

shell> mysqld --language=swedish

Or:

shell> mysqld --language=/usr/local/share/swedish

Note that the language name should be specified in lowercase.

The language files are located (by default) in the `share/LANGUAGE' directory under the MySQL base directory.

To change the error message file, you should edit the `errmsg.txt' file, and then execute the following command to generate the `errmsg.sys' file:

shell> comp_err errmsg.txt errmsg.sys

If you upgrade to a newer version of MySQL, remember to repeat your changes with the new `errmsg.txt' file.

5.7.3 Adding a New Character Set

This section discusses the procedure for adding add another character set to MySQL. You must have a MySQL source distribution to use these instructions.

To choose the proper procedure, decide whether the character set is simple or complex:

  • If the character set does not need to use special string collating routines for sorting and does not need multi-byte character support, it is simple.
  • If it needs either of those features, it is complex.

For example, latin1 and danish are simple character sets, whereas big5 and czech are complex character sets.

In the following procedures, the name of your character set is represented by MYSET.

For a simple character set, do the following:

  1. Add MYSET to the end of the `sql/share/charsets/Index' file. Assign a unique number to it.
  2. Create the file `sql/share/charsets/MYSET.conf'. (You can use a copy of `sql/share/charsets/latin1.conf' as the basis for this file.) The syntax for the file is very simple:
    • Comments start with a `#' character and proceed to the end of the line.
    • Words are separated by arbitrary amounts of whitespace.
    • When defining the character set, every word must be a number in hexadecimal format.
    • The ctype array takes up the first 257 words. The to_lower[], to_upper[] and sort_order[] arrays take up 256 words each after that.
    See section 5.7.4 The Character Definition Arrays.
  3. Add the character set name to the CHARSETS_AVAILABLE and COMPILED_CHARSETS lists in configure.in.
  4. Reconfigure, recompile, and test.

For a complex character set, do the following:

  1. Create the file `strings/ctype-MYSET.c' in the MySQL source distribution.
  2. Add MYSET to the end of the `sql/share/charsets/Index' file. Assign a unique number to it.
  3. Look at one of the existing `ctype-*.c' files (such as `strings/ctype-big5.c') to see what needs to be defined. Note that the arrays in your file must have names like ctype_MYSET, to_lower_MYSET, and so on. These correspond to the arrays for a simple character set. See section 5.7.4 The Character Definition Arrays.
  4. Near the top of the file, place a special comment like this:
    /*
     * This comment is parsed by configure to create ctype.c,
     * so don't change it unless you know what you are doing.
     *
     * .configure. number_MYSET=MYNUMBER
     * .configure. strxfrm_multiply_MYSET=N
     * .configure. mbmaxlen_MYSET=N
     */
    
    The configure program uses this comment to include the character set into the MySQL library automatically. The strxfrm_multiply and mbmaxlen lines are explained in the following sections. You need include them only if you need the string collating functions or the multi-byte character set functions, respectively.
  5. You should then create some of the following functions:
    • my_strncoll_MYSET()
    • my_strcoll_MYSET()
    • my_strxfrm_MYSET()
    • my_like_range_MYSET()
    See section 5.7.5 String Collating Support.
  6. Add the character set name to the CHARSETS_AVAILABLE and COMPILED_CHARSETS lists in configure.in.
  7. Reconfigure, recompile, and test.

The `sql/share/charsets/README' file includes additional instructions.

If you want to have the character set included in the MySQL distribution, mail a patch to the MySQL internals mailing list. See section 1.7.1.1 The MySQL Mailing Lists.

5.7.4 The Character Definition Arrays

to_lower[] and to_upper[] are simple arrays that hold the lowercase and uppercase characters corresponding to each member of the character set. For example:

to_lower['A'] should contain 'a'
to_upper['a'] should contain 'A'

sort_order[] is a map indicating how characters should be ordered for comparison and sorting purposes. Quite often (but not for all character sets) this is the same as to_upper[], which means that sorting will be case-insensitive. MySQL will sort characters based on the value of sort_order[character]. For more complicated sorting rules, see the discussion of string collating in section 5.7.5 String Collating Support.

ctype[] is an array of bit values, with one element for one character. (Note that to_lower[], to_upper[], and sort_order[] are indexed by character value, but ctype[] is indexed by character value + 1. This is an old legacy convention to be able to handle EOF.)

You can find the following bitmask definitions in `m_ctype.h':

#define _U      01      /* Uppercase */
#define _L      02      /* Lowercase */
#define _N      04      /* Numeral (digit) */
#define _S      010     /* Spacing character */
#define _P      020     /* Punctuation */
#define _C      040     /* Control character */
#define _B      0100    /* Blank */
#define _X      0200    /* heXadecimal digit */

The ctype[] entry for each character should be the union of the applicable bitmask values that describe the character. For example, 'A' is an uppercase character (_U) as well as a hexadecimal digit (_X), so ctype['A'+1] should contain the value:

_U + _X = 01 + 0200 = 0201

5.7.5 String Collating Support

If the sorting rules for your language are too complex to be handled with the simple sort_order[] table, you need to use the string collating functions.

Right now the best documentation for this is the character sets that are already implemented. Look at the big5, czech, gbk, sjis, and tis160 character sets for examples.

You must specify the strxfrm_multiply_MYSET=N value in the special comment at the top of the file. N should be set to the maximum ratio the strings may grow during my_strxfrm_MYSET (it must be a positive integer).

5.7.6 Multi-byte Character Support

If your want to add support for a new character set that includes multi-byte characters, you need to use the multi-byte character functions.

Right now the best documentation on this is the character sets that are already implemented. Look at the euc_kr, gb2312, gbk, sjis, and ujis character sets for examples. These are implemented in the `ctype-'charset'.c' files in the `strings' directory.

You must specify the mbmaxlen_MYSET=N value in the special comment at the top of the source file. N should be set to the size in bytes of the largest character in the set.

5.7.7 Problems With Character Sets

If you try to use a character set that is not compiled into your binary, you might run into the following problems:

  • Your program has an incorrect path to where the character sets are stored. (Default `/usr/local/mysql/share/mysql/charsets'). This can be fixed by using the --character-sets-dir option when you run the program in question.
  • The character set is a multi-byte character set that can't be loaded dynamically. In this case, you must recompile the program with support for the character set.
  • The character set is a dynamic character set, but you don't have a configure file for it. In this case, you should install the configure file for the character set from a new MySQL distribution.
  • If your `Index' file doesn't contain the name for the character set, your program will display the following error message:
    ERROR 1105: File '/usr/local/share/mysql/charsets/?.conf'
    not found (Errcode: 2)
    
    In this case, you should either get a new Index file or manually add the name of any missing character sets to the current file.

For MyISAM tables, you can check the character set name and number for a table with myisamchk -dvv tbl_name.

5.8 The MySQL Log Files

MySQL has several different log files that can help you find out what's going on inside mysqld:

Log File Types of Information Logged to File
The error log Problems encountering starting, running, or stopping mysqld.
The isam log Logs all changes to the ISAM tables. Used only for debugging the isam code.
The query log Established client connections and executed statements.
The update log Statements that change data. This log is deprecated.
The binary log Stores all statements that change data. Also used for replication.
The slow log Stores all queries that took more than long_query_time seconds to execute or didn't use indexes.

By default, all logs are created in the mysqld data directory. You can force mysqld to close and reopen the log files (or in some cases switch to a new log) by flushing the logs. Log flushing occurs when you issue a FLUSH LOGS statement or execute mysqladmin flush-logs or mysqladmin refresh. See section 14.5.4.2 FLUSH Syntax.

If you are using MySQL replication capabilities, slave replication servers maintain additional log files called relay logs. These are discussed in section 6 Replication in MySQL.

5.8.1 The Error Log

The error log file contains information indicating when mysqld was started and stopped and also any critical errors that occur while the server is running.

If mysqld dies unexpectedly and mysqld_safe needs to restart it, mysqld_safe will write a restarted mysqld message to the error log. If mysqld notices a table that needs to be automatically checked or repaired, it writes a message to the error log.

On some operating systems, the error log will contain a stack trace if mysqld dies. The trace can be used to determine where mysqld died. See section D.1.4 Using a Stack Trace.

Beginning with MySQL 4.0.10, you can specify where mysqld stores the error log file with the option --log-error[=file_name]. If no file_name value is given, mysqld uses the name `'hostname'.err' and writes the file in the data directory. (Prior to MySQL 4.0.10, the Windows error log name is `mysql.err'.) If you execute FLUSH LOGS the error log will be renamed with a suffix of -old and mysqld creates a new empty log file.

In older MySQL versions on Unix, error log handling was done by mysqld_safe which redirected the error file to 'hostname'.err. You could change this filename by specifying a --err-log=filename option to mysqld_safe.

If you don't specify --log-error, or (on Windows) if you use the --console option, errors are written to stderr, the standard error output. Usually this is your terminal.

On Windows, error output is always written to the .err file if --console is not given.

5.8.2 The General Query Log

If you want to know what happens within mysqld, you should start it with the --log[=file_name] or -l [file_name] option. If no file_name value is given, the default name is `hostname.log' This will log all connections and statements to the log file. This log can be very useful when you suspect an error in a client and want to know exactly what the client sent to mysqld.

Older versions of the mysql.server script (from MySQL 3.23.4 to 3.23.8) pass safe_mysqld a --log option to enable the general query log. If you need better performance when you start using MySQL in a production environment, you can remove the --log option from mysql.server or change it to --log-bin. See section 5.8.4 The Binary Log.

mysqld writes statements to the query log in the order that it receives them. This may be different from the order in which they are executed. This is in contrast to the update log and the binary log, which are written after the query is executed, but before any locks are released.

Server restarts and log flushing do not cause a new general query log file to be generated (although flushing closes and reopens it). On Unix, you can rename the file and create a new one by using the following commands:

shell> mv hostname.log hostname-old.log
shell> mysqladmin flush-logs
shell> cp hostname-old.log to-backup-directory
shell> rm hostname-old.log

On Windows, you cannot rename the log file while the server has it open. You must stop the server and rename the log. Then restart the server to create a new log.

5.8.3 The Update Log

Note: The update log has been deprecated and replaced by the binary log. See section 5.8.4 The Binary Log. The binary log can do anything the old update log could do, and more. The update log is unavailable as of MySQL 5.0.0.

When started with the --log-update[=file_name] option, mysqld writes a log file containing all SQL statements that update data. If no file_name value is given, the default name is name of the host machine. If a filename is given, but it doesn't contain a leading path, the file is written in the data directory. If `file_name' doesn't have an extension, mysqld creates log files with names of the form `file_name.###', where ### is a number that is incremented each time you start the server or flush the logs.

Note: For this naming scheme to work, you must not create your own files with the same names as those that might be used for the log file sequence.

Update logging is smart because it logs only statements that really update data. So an UPDATE or a DELETE with a WHERE that finds no rows is not written to the log. It even skips UPDATE statements that set a column to the value it already has.

The update logging is done immediately after a query completes but before any locks are released or any commit is done. This ensures that statements are logged in execution order.

If you want to update a database from update log files, you could do the following (assuming your update logs have names of the form `file_name.###'):

shell> ls -1 -t -r file_name.[0-9]* | xargs cat | mysql

ls is used to sort the update log filenames into the right order.

This can be useful if you have to revert to backup files after a crash and you want to redo the updates that occurred between the time of the backup and the crash.

5.8.4 The Binary Log

The binary log has replaced the old update log, which is is unavailable starting from MySQL 5.0. The binary log contains all information that is available in the update log in a more efficient format and in a manner that is transactionally safe.

The binary log, like the old update log, only logs statements that really update data. So an UPDATE or a DELETE with a WHERE that finds no rows is not written to the log. It even skips UPDATE statements that set a column to the value it already has.

The binary log also contains information about how long each statment took that updated the database. It doesn't contain statements that don't modify any data. If you want to log all statements (for example to identify a problem query) you should use the general query log. See section 5.8.2 The General Query Log.

The primary purpose of the binary log is to be able to update the database during a restore operation as fully as possible, as the binary log will contain all updates done after a backup was made.

The binary log is also used on master replication servers as a record of the statements to be sent to slave servers. See section 6 Replication in MySQL.

Running the server with the binary log enabled makes performance about 1% slower. However, the benefits of the binary log for restore operations and in allowing you to set up replication generally outweigh this minor performance decrement.

When started with the --log-bin[=file_name] option, mysqld writes a log file containing all SQL commands that update data. If no file_name value is given, the default name is the name of the host machine followed by -bin. If file name is given, but it doesn't contain a path, the file is written in the data directory.

If you supply an extension in the log name (for example, --log-bin=filename.extension), the extension is silently removed and ignored.

mysqld appends a numeric extension to the binary log name. The number is incremented each time you start the server or flush the logs. A new binary log also is created automatically when the current log's size reaches max_binlog_size. A binary log may become larger than max_binlog_size if you are using large transactions: A transaction is written to the binary log in one piece, never split between binary logs.

To be able to know which different binary log files have been used, mysqld also creates a binary log index file that contains the name of all used binary log files. By default this has the same name as the binary log file, with the extension '.index'. You can change the name of the binary log index file with the --log-bin-index=[file_name] option. You should not manually edit this file while mysqld is running; doing this would confuse mysqld.

You can delete all binary log files with the RESET MASTER statement, or only some of them with PURGE MASTER LOGS. See section 14.5.4.5 RESET Syntax and section 14.6.1 SQL Statements for Controlling Master Servers.

You can use the following options to mysqld to affect what is logged to the binary log. Note also the discussion that follows this option list.

--binlog-do-db=db_name
Tells the master that it should log updates to the binary log if the current database (that is, the one selected by USE) is db_name. All others databases that are not explicitly mentioned are ignored. Note that if you use this you should ensure that you only do updates in the current database. Example of what does not work as you might expect: If the server is started with binlog-do-db=sales, and you do USE prices; UPDATE sales.january SET amount=amount+1000;, this statement will not be written into the binary log.
--binlog-ignore-db=db_name
Tells the master that updates where the current database (that is, the one selected by USE) is db_name should not be stored in the binary log. Note that if you use this you should ensure that you only do updates in the current database. Example of what does not work as you might expect: If the server is started with binlog-ignore-db=sales, and you do USE prices; UPDATE sales.january SET amount=amount+1000;, this statement will be written into the binary log.

To log or ignore multiple databases, specify the appropriate option multiple times, once for each database.

The rules for logging or ignoring updates to the binary log are evaluated in the following order:

  1. Are there binlog-do-db or binlog-ignore-db rules?
    • No: Write the statement to the binary log and exit.
    • Yes: Go to the next step.
  2. So there are some rules (binlog-do-db or binlog-ignore-db or both). Is there a current database (has any database been selected by USE?)?
    • No: Do NOT write the statement, and exit.
    • Yes: Go to the next step.
  3. There is a current database. Are there some binlog-do-db rules?
    • Yes: Does the current database match any of the binlog-do-db rules?
      • Yes: Write the statement and exit.
      • No: Do NOT write the statement, and exit.
    • No: Go to the next step.
  4. There are some binlog-ignore-db rules. Does the current database match any of the binlog-ignore-db rules?
    • Yes: Do not write the statement, and exit.
    • No: Write the query and exit.

So for example, a slave running with only binlog-do-db=sales will not write to the binary log any statement whose current database is different from sales (in other words, binlog-do-db can sometimes mean ``ignore other databases'').

If you are using replication, you should not delete old binary log files until you are sure that no slave will ever need to use them. One way to do this is to do mysqladmin flush-logs once a day and then remove any logs that are more than 3 days old. You can remove them manually, or preferably using PURGE MASTER LOGS (see section 14.6.1 SQL Statements for Controlling Master Servers) which will also safely update the binary log index file for you (and which can take a date argument since MySQL 4.1)

A client with the SUPER privilege can disable binary logging of its own statements by using a SET SQL_LOG_BIN=0 statement. See section 14.5.3.1 SET Syntax.

You can examine the binary log file with the mysqlbinlog utility. This can be useful when you want to reprocess statements in the log. For example, you can update a MySQL server from the binary log as follows:

shell> mysqlbinlog log-file | mysql -h server_name

See section 8.5 The mysqlbinlog Binary Log Utility for more information on the mysqlbinlog utility and how to use it.

If you are using transactions, you must use the MySQL binary log for backups instead of the old update log.

The binary logging is done immediately after a query completes but before any locks are released or any commit is done. This ensures that the log will be logged in the execution order.

Updates to non-transactional tables are stored in the binary log immediately after execution. For transactional tables such as BDB or InnoDB tables, all updates (UPDATE, DELETE or INSERT) that change tables are cached until a COMMIT statement is received by the server. At that point, mysqld writes the whole transaction to the binary log before the COMMIT is executed. When the thread that handles the transaction starts, it allocates a buffer of binlog_cache_size to buffer queries. If a statement is bigger than this, the thread opens a temporary file to store the transaction. The temporary file is deleted when the thread ends.

The max_binlog_cache_size (default 4G) can be used to restrict the total size used to cache a multiple-statement transaction. If a transaction is larger than this, it will fail and roll back.

If you are using the update log or binary log, concurrent inserts will be converted to normal inserts when using CREATE ... SELECT or INSERT ... SELECT. This is to ensure that you can re-create an exact copy of your tables by applying the log on a backup.

The binary log format is different in versions 3.23, 4.0, and 5.0.0. Those format changes were required to implement enhancements to replication. MySQL 4.1 has the same binary log format as 4.0.

5.8.5 The Slow Query Log

When started with the --log-slow-queries[=file_name] option, mysqld writes a log file containing all SQL statements that took more than long_query_time seconds to execute. The time to acquire the initial table locks are not counted as execution time.

If no file_name value is given, the default is the name of the host machine with a suffix of -slow.log. If a filename is given, but doesn't contain a path, the file is written in the data directory.

A statement is logged to the slow query log after it has been executed and after all locks have been released. Log order may be different from execution order.

The slow query log can be used to find queries that take a long time to execute and are thus candidates for optimization. However, examining a long slow query log can become a difficult task. To make this easier, you can pipe the slow query log through the mysqldumpslow command to get a summary of the queries that appear in the log.

If you also use the --log-long-format when logging slow queries, then queries that are not using indexes are logged as well. See section 5.2.1 mysqld Command-line Options.

5.8.6 Log File Maintenance

The MySQL Server can create a number of different log files, which make it easy to see what is going on. See section 5.8 The MySQL Log Files. However, you must clean up these files regularly, to ensure that the logs don't take up too much disk space.

When using MySQL with logging enabled, you will want to backup and remove old log files from time to time and tell MySQL to start logging to new files. See section 5.6.1 Database Backups.

On a Linux (Red Hat) installation, you can use the mysql-log-rotate script for this. If you installed MySQL from an RPM distribution, the script should have been installed automatically. Note that you should be careful with this script if you are using the binary log for replication! (You should not remove binary logs until you are certain that their contents have been processed by all slaves.)

On other systems, you must install a short script yourself that you start from cron to handle log files.

You can force MySQL to start using new log files by using mysqladmin flush-logs or by using the SQL statement FLUSH LOGS. If you are using MySQL Version 3.21, you must use mysqladmin refresh.

A log flushing operation does the following:

  • If standard logging (--log) or slow query logging (--log-slow-queries) is used, closes and reopens the log file (`mysql.log' and ``hostname`-slow.log' as default).
  • If update logging (--log-update) or binary logging (--log-bin) is used, closes the log and opens a new log file with a higher sequence number.

If you are using only an update log, you only have to flush the logs and then move away the old update log files to a backup. If you are using the normal logging, you can do something like:

shell> cd mysql-data-directory
shell> mv mysql.log mysql.old
shell> mysqladmin flush-logs

Then make a backup and remove `mysql.old'.

5.9 Running Multiple MySQL Servers on the Same Machine

In some cases, you might want to run multiple mysqld servers on the same machine. You might want to test a new MySQL release while leaving your existing production setup undisturbed. Or you may want to give different users access to different mysqld servers that they manage themselves. (For example, you might be an Internet Service Provider that wants to provide independent MySQL installations for different customers.)

To run multiple servers on a single machine, each server must have unique values for several operating parameters. These can be set on the command line or in option files. See section 4.3 Specifying Program Options.

At least the following options must be different for each server:

  • --port=port_num --port controls the port number for TCP/IP connections.
  • --socket=path --socket controls the socket file path on Unix and the name of the named pipe on Windows. On Windows, it's necessary to specify distinct pipe names only for those servers that support named pipe connections.
  • --shared-memory-base-name=name This option currently is used only on Windows. It designates the shared memory name used by a Windows server to allow clients to connect via shared memory. This option is new in MySQL 4.1.
  • --pid-file=path This option is used only on Unix. It indicates the name of the file in which the server writes its process ID.

If you use the following log file options, they must be different for each server:

  • --log=path
  • --log-bin=path
  • --log-update=path
  • --log-error=path
  • --log-isam=path
  • --bdb-logdir=path

Log file options are described in section 5.8.6 Log File Maintenance.

If you want more performance, you can also specify the following options differently for each server, to spread load between several physical disks:

  • --tmpdir=path
  • --bdb-tmpdir=path

Having different temporary directories is also recommended for the reason that it is easier to determine which MySQL server created any given temporary file.

Generally, each server should also use a different data directory, which is specified using the --datadir=path option.

Warning: Normally you should never have two servers that update data in the same databases! This may lead to unpleasant surprises if your operating system doesn't support fault-free system locking! If (despite this warning) you run multiple servers using the same data directory and they have logging enabled, you must use the appropriate options to specify log file names that are unique to each server. Otherwise, the servers will try to log to the same files.

This warning against sharing a data directory among servers also applies in an NFS environment. Allowing multiple MySQL servers to access a common data directory over NFS is a bad idea!

  • The primary problem is that NFS will become the speed bottleneck. It is not meant for such use.
  • Another risk with NFS is that you will have to come up with a way to make sure that two or more servers do not interfere with each other. Usually NFS file locking is handled by the lockd daemon, but at the moment there is no platform that will perform locking 100% reliably in every situation.

Make it easy for yourself: Forget about sharing a data directory among servers over NFS. A better solution is to have one computer that contains several CPUs and use an operating system that handles threads efficiently.

If you have multiple MySQL installations in different locations, normally you can specify the base installation directory for each server with the --basedir=path option to cause each server to use a different data directory, log files, and PID file. (The defaults for all these values are determined relative to the base directory.) In that case, the only other options you need to specify are the --socket and --port options. For example, suppose you install different versions of MySQL using `.tar' file binary distributions. These will install in different locations, so you can start the server for each installation using the command ./bin/mysqld_safe under its corresponding base directory. mysqld_safe will determine the proper --basedir option to pass to mysqld, and you need specify only the --socket and --port options to mysqld_safe. (For versions of MySQL older than 4.0, use safe_mysqld rather than mysqld_safe.)

As discussed in the following sections, it is possible to start additional servers by setting environment variables or by specifying appropriate command-line options. However, if you need to run multiple servers on a more permanent basis, it will be more convenient to use option files to specify for each server those option values that must be unique to it.

5.9.1 Running Multiple Servers on Windows

You can run multiple servers on Windows by starting them manually from the command line, each with appropriate operating parameters. On Windows NT-based systems, you also have the option of installing several servers as Windows services and running them that way. General instructions for running MySQL servers from the command line or as services are given in section 2.2.1 Installing MySQL on Windows. This section describes how to make sure you start each server with different values for those startup options that must be unique per server, such as the data directory. (These options are described in section 5.9 Running Multiple MySQL Servers on the Same Machine.)

5.9.1.1 Starting Multiple Windows Servers at the Command Line

To start multiple servers manually from the command line, you can specify the appropriate options on the command line or in an option file. It's more convenient to place the options in an option file, but it's necessary to make sure that each server gets its own set of options. To do this, create an option file for each server and tell the server the filename with a --defaults-file option when you run it.

Suppose that you want to run mysqld on port 3307 with a data directory of `C:\mydata1', and mysqld-max on port 3308 with a data directory of `C:\mydata2'. (To do this, make sure that before you start the servers, each data directory exists and has its own copy fo the mysql database that contains the grant tables.)

Then create two option files. For example, create one file named `C:\my-opts1.cnf' that looks like this:

[mysqld]
datadir = C:/mydata1
port = 3307

Create a second file named `C:\my-opts2.cnf' that looks like this:

[mysqld]
datadir = C:/mydata2
port = 3308

Then start each server with its own option file:

C:\> mysqld --defaults-file=C:\my-opts1.cnf
C:\> mysqld-max --defaults-file=C:\my-opts2.cnf

On NT, each server will start in the foreground (no new prompt appears until the server exits later); you'll need to issue those two commands in separate console windows.

To shut down the servers, you must connect to the appropriate port number:

C:\> mysqladmin --port=3307 shutdown
C:\> mysqladmin --port=3308 shutdown

Servers configured as just described will allow clients to connect over TCP/IP. If your version of Windows supports named pipes and you also want to allow named pipe connections, use the mysqld-nt or mysqld-max-nt servers and specify options that enable the named pipe and specify its name. Each server that supports named pipe connections must use a unique pipe name. For example, the `C:\my-opts1.cnf' file might be written like this:

[mysqld]
datadir = C:/mydata1
port = 3307
enable-named-pipe
socket = mypipe1

Then start the server this way:

C:\> mysqld-nt --defaults-file=C:\my-opts1.cnf

`C:\my-opts2.cnf' would be modified similarly for use by the second server.

5.9.1.2 Starting Multiple Windows Servers as Services

On NT-based systems, a MySQL server can be run as a Windows service. The procedures for installing, controlling, and removing a single MySQL service are described in section 2.2.1.7 Starting MySQL as a Windows Service.

As of MySQL 4.0.2, you can install multiple servers as services. In this case, you must make sure that each server uses a different service name in addition to all the other parameters that must be unique per server.

For the following instructions, assume that you want to run the mysqld-nt server from two different versions of MySQL that are installed at `C:\mysql-4.0.8' and `C:\mysql-4.0.17', respectively. (This might be the case if you're running 4.0.8 as your production server, but want to test 4.0.17 before upgrading to it.)

The following principles apply when installing a MySQL service with the --install or --install-manual option:

  • If you specify no service name, the server uses the default service name of MySQL and the server reads options from the [mysqld] group in the standard option files.
  • If you specify a service name after the --install option, the server ignores the [mysqld] option group and instead reads options from the group that has the same name as the service. The server reads options from the standard option files.
  • If you specify a --defaults-file option after the service name, the server ignores the standard option files and reads options only from the [mysqld] group of the named file.

Note: Before MySQL 4.0.17, only a server installed using the default service name (MySQL) or one installed explicitly with a service name of mysqld will read the [mysqld] group in the standard option files. As of 4.0.17, all servers read the [mysqld] group if they read the standard option files, even if they are installed using another service name. This allows you to use the [mysqld] group for options that should be used by all MySQL services, and an option group named after each service for use by the server installed with that service name.

Based on the preceding information, you have several ways to set up multiple services. The following instructions describe some examples. Before trying any of them, be sure you shut down and remove any existing MySQL services first.

  • Approach 1: Specify the options for all services in one of the standard option files. To do this, use a different service name for each server. Suppose you want to run the 4.0.8 mysqld-nt using the service name of mysqld1 and the 4.0.17 mysqld-nt using the service name mysqld2. In this case, you can use the [mysqld1] group for 4.0.8 and the [mysqld2] group for 4.0.17. For example, you can set up `C:\my.cnf' like this:
    # options for mysqld1 service
    [mysqld1]
    basedir = C:/mysql-4.0.8
    port = 3307
    enable-named-pipe
    socket = mypipe1
    
    # options for mysqld2 service
    [mysqld2]
    basedir = C:/mysql-4.0.17
    port = 3308
    enable-named-pipe
    socket = mypipe2
    
    Install the services as follows, using the full server pathnames to ensure that Windows registers the correct executable program for each service:
    C:\> C:\mysql-4.0.8\bin\mysqld-nt --install mysqld1
    C:\> C:\mysql-4.0.17\bin\mysqld-nt --install mysqld2
    
    To start the services, use the services manager, or use NET START with the appropriate service names:
    C:\> NET START mysqld1
    C:\> NET START mysqld2
    
    To stop the services, use the services manager, or use NET STOP with the appropriate service names:
    C:\> NET STOP mysqld1
    C:\> NET STOP mysqld2
    
  • Approach 2: Specify options for each server in separate files and use --defaults-file when you install the services to tell each server what file to use. In this case, each file should list options using a [mysqld] group. With this approach, to specify options for the 4.0.8 mysqld-nt, create a file `C:\my-opts1.cnf' that looks like this:
    [mysqld]
    basedir = C:/mysql-4.0.8
    port = 3307
    enable-named-pipe
    socket = mypipe1
    
    For the 4.0.17 mysqld-nt, create a file `C:\my-opts2.cnf' that looks like this:
    [mysqld]
    basedir = C:/mysql-4.0.17
    port = 3308
    enable-named-pipe
    socket = mypipe2
    
    Install the services as follows (enter each command on a single line):
    C:\> C:\mysql-4.0.8\bin\mysqld-nt --install mysqld1
               --defaults-file=C:\my-opts1.cnf
    C:\> C:\mysql-4.0.17\bin\mysqld-nt --install mysqld2
               --defaults-file=C:\my-opts2.cnf
    
    To use a --defaults-file option when you install a MySQL server as a service, you must precede the option with the service name. After installing the services, start and stop them the same way as in the preceding example.

To remove multiple services, use mysqld --remove for each one, specifying a service name following the --remove option. If the service name is the default (MySQL), you can omit it..

5.9.2 Running Multiple Servers on Unix

The easiest way is to run multiple servers on Unix is to compile them with different TCP/IP ports and Unix socket files so that each one is listening on different network interfaces. Also, by compiling in different base directories for each installation, that automatically results in different compiled-in data directory, log file, and PID file locations for each of your servers.

Assume that an existing server is configured for the default TCP/IP port number (3306) and Unix socket file (`/tmp/mysql.sock'). To configure a new server to have different operating parameters, use a configure command something like this:

shell> ./configure --with-tcp-port=port_number \
             --with-unix-socket-path=file_name \
             --prefix=/usr/local/mysql-4.0.17

Here, port_number and file_name must be different from the default TCP/IP port number and Unix socket file pathname, and the --prefix value should specify an installation directory different than the one under which the existing MySQL installation is located.

If you have a MySQL server listening on a given port number, you can use the following command to find out what operating parameters it is using for several important configurable variables, including the base directory and Unix socket filename:

shell> mysqladmin --host=host_name --port=port_number variables

With the information displayed by that command, you can tell what option values not to use when configuring an additional server.

Note that if you specify ``localhost'' as a hostname, mysqladmin will default to using a Unix socket file connection rather than TCP/IP. In MySQL 4.1, you can explicitly specify the connection protocol to use by using the --protocol={TCP | SOCKET | PIPE | MEMORY} option.

You don't have to compile a new MySQL server just to start with a different Unix socket file and TCP/IP port number. It is also possible to specify those values at runtime. One way to do so is by using command-line options:

shell> /path/to/mysqld_safe --socket=file_name --port=port_number

To start a second server, provide different --socket and --port option values, and pass a a --datadir=path option to mysqld_safe so that the server uses a different data directory.

Another way to achieve a similar effect is to use environment variables to set the Unix socket filename and TCP/IP port number:

shell> MYSQL_UNIX_PORT=/tmp/mysqld-new.sock
shell> MYSQL_TCP_PORT=3307
shell> export MYSQL_UNIX_PORT MYSQL_TCP_PORT
shell> scripts/mysql_install_db
shell> bin/mysqld_safe --datadir=/path/to/datadir &

This is a quick way of starting a second server to use for testing. The nice thing about this method is that the environment variable settings will apply to any client programs that you invoke from the same shell. Thus, connections for those clients automatically will be directed to the second server!

section E Environment Variables includes a list of other environment variables you can use to affect mysqld.

For automatic server execution, your startup script that is executed at boot time should execute the following command once for each server with an appropriate option file path for each command:

mysqld_safe --defaults-file=path-to-option-file

Each option file should contain option values specific to a given server.

On Unix, the mysqld_multi script is another way to start multiple servers. See section 5.1.5 The mysqld_multi Program for Managing Multiple MySQL Servers.

5.9.3 Using Client Programs in a Multiple-Server Environment

When you want to connect with a client program to a MySQL server that is listening to different network interfaces than those compiled into your client, you can use one of the following methods:

  • Start the client with --host=host_name --port=port_number to connect via TCP/IP to a remote server, with --host=127.0.0.1 --port=port_number to connect via TCP/IP to a local server, or with --host=localhost --socket=file_name to connect to a local server via a Unix socket file or a Windows named pipe.
  • As of MySQL 4.1, start the client with --protocol=tcp to connect via TCP/IP, --protocol=socket to connect via a Unix socket file, --protocol=pipe to connect via a named pipe, or --protocol=memory to connect via shared memory. For TCP/IP connections, you may also need to specify --host and --port options. For the other types of connections, you may need to specify a --socket option to specify a Unix socket file or named pipe name, or a --shared-memory-base-name option to specify the shared memory name. Shared memory connections are supported only on Windows.
  • On Unix, set the MYSQL_UNIX_PORT and MYSQL_TCP_PORT environment variables to point to the Unix socket file and TCP/IP port number before you start your clients. If you normally use a specific socket file or port number, you can place commands to set these environment variables in your `.login' file so that they apply each time you log in. See section E Environment Variables.
  • Specify the default Unix socket file and TCP/IP port number in the [client] group of an option file. For example, you can use `C:\my.cnf' on Windows, or the `.my.cnf' file in your home directory on Unix. See section 4.3.2 Using Option Files.
  • In a C program, you can specify the socket file or port number arguments in the mysql_real_connect() call. You can also have the program read option files by calling mysql_options(). See section 20.2.3 C API Function Descriptions.
  • If you are using the Perl DBD::mysql module, you can read options from MySQL option files. For example:
    $dsn = "DBI:mysql:test;mysql_read_default_group=client;"
            . "mysql_read_default_file=/usr/local/mysql/data/my.cnf";
    $dbh = DBI->connect($dsn, $user, $password);
    
    See section 20.6 MySQL Perl API. Other programming interfaces may provide similar capabilities for reading option files.

5.10 The MySQL Query Cache

From version 4.0.1 on, MySQL Server features a Query Cache. When in use, the query cache stores the text of a SELECT query together with the corresponding result that was sent to the client. If the identical query is received later, the server retrieves the results from the query cache rather than parsing and executing the query again.

Note: The query cache does not return stale data. When data is modified, any relevant entries in the query cache are flushed.

The query cache is extremely useful in an environment where (some) tables don't change very often and you have a lot of identical queries. This is a typical situation for many Web servers that generate a lot of dynamic pages based on database content.

NOTE: It doesn't work in an environment where you have many mysqld servers updating the same MyISAM tables.

Some performance data for the query cache follow. These results were generated by running the MySQL benchmark suite on a Linux Alpha 2 x 500 MHz with 2GB RAM and a 64MB query cache.

  • If all of the queries you're performing are simple (such as selecting a row from a table with one row), but still differ so that the queries cannot be cached, the overhead for having the query cache active is 13%. This could be regarded as the worst case scenario. In real life, queries tend to be much more complicated, so the overhead is normally significantly lower.
  • Searches for a single row in a single-row table are 238% faster with the query cache than without it. This can be regarded as close to the minimum speedup to be expected for a query that is cached.

To disable the query cache at server startup, set the query_cache_size system variable to 0. By disabling the query cache code there is no noticeable overhead. Query cache capabilities can be excluded from the server entirely by using the --without-query-cache option to configure when compiling MySQL.

5.10.1 How the Query Cache Operates

This section describes how the query cache works when it is operational. section 5.10.3 Query Cache Configuration describes how to control whether or not it is operational.

Queries are compared before parsing, so the following two queries are regarded as different by the query cache:

SELECT * FROM tbl_name
Select * from tbl_name

Queries must be exactly the same (byte for byte) to be seen as identical. In addition, query strings that are identical may be treated as different for otther reasons. Queries that uses different databases, uses different protocol versions or different default character sets are considered different queries and are cached separately.

If a query result is returned from query cache, the server increments the Qcache_hits status variable, not Com_select. See section 5.10.4 Query Cache Status and Maintenance.

If a table changes then all cached queries that used the table become invalid and are removed from the cache. This includes queries that use MERGE tables that map to the changed table. A table can be changed by many types of statements, such as INSERT, UPDATE, DELETE, TRUNCATE, ALTER TABLE, DROP TABLE, or DROP DATABASE.

Transactional InnoDB tables that have been changed are invalidated when a COMMIT is performed.

In MySQL 4.0, the query cache is disabled within transactions (it does not return results). Beginning with MySQL 4.1.1, the query cache also works within transactions when using InnoDB tables (it uses the table version number to detect whether or not its contents are still current).

Before MySQL 5.0, a query that begins with a leading comment might be cached, but could not be fetched from the cache. This problem is fixed in MySQL 5.0.

A query cannot be cached if it contains any of the following functions:

Function Function Function
BENCHMARK() CONNECTION_ID() CURDATE()
CURRENT_DATE() CURRENT_TIME() CURRENT_TIMESTAMP()
CURTIME() DATABASE() ENCRYPT() with one parameter
FOUND_ROWS() GET_LOCK() LAST_INSERT_ID()
LOAD_FILE() MASTER_POS_WAIT() NOW()
RAND() RELEASE_LOCK() SYSDATE()
UNIX_TIMESTAMP() with no parameters USER()

A query also will not be cached under these conditions:

  • It contains user-defined functions (UDFs).
  • It contains user variables.
  • It refers to the tables in the mysql system database.
  • It is of any of the following forms:
    SELECT ... IN SHARE MODE
    SELECT ... INTO OUTFILE ...
    SELECT ... INTO DUMPFILE ...
    SELECT * FROM ... WHERE autoincrement_col IS NULL
    
    The last form is not cached because it is used as the ODBC workaround for obtaining the last insert ID value. See section 20.3.6 How to Get the Value of an AUTO_INCREMENT Column in ODBC.
  • It uses TEMPORARY tables.
  • It does not use any tables.
  • The user has a column privilege for any of the involved tables. Before a query is fetched from the query cache, MySQL checks that the user has SELECT privilege for all the involved databases and tables. If this is not the case, the cached result will not be used.

The query cache does work for SELECT SQL_CALC_FOUND_ROWS ... and SELECT FOUND_ROWS() type queries. FOUND_ROWS() returns the correct value even if the preceding query was fetched from the cache because the number of found rows is also stored in the cache.

5.10.2 Query Cache SELECT Options

There are two query cache related options that may be specified in a SELECT statement:

SQL_CACHE
The query result is cached if the value of the query_cache_type system variable is ON or DEMAND.
SQL_NO_CACHE
The query result is not cached.

5.10.3 Query Cache Configuration

Several mysqld system variables control query cache operation. These can be set in an option file or on the command line when starting mysqld. The query cache-related system variables all have names that begin with query_cache_. They are described briefly in section 5.2.3 Server System Variables, with additional configuration information given here.

To set the size of the query cache, set the query_cache_size system variable. Setting it to 0 disables the query cache. The default cache size is 0; that is, the query cache is disabled.

Assuming the query cache is enabled, the query_cache_type variable influences how it works. This variable can be set to the following values:

  • A value of 0 or OFF prevents caching or retrieval of cached results.
  • A value of 1 or ON allows caching except of those statements that begin with SELECT SQL_NO_CACHE.
  • A value of 2 or DEMAND causes caching only of those statements that begin with SELECT SQL_CACHE.

Setting the GLOBAL query_cache_type determines query cache behavior for all clients that connect after the change is made. Individual clients can control cache behavior for their own connection by setting the SESSION value of query_cache_type. For example, a client can disable use of the query cache for its own queries like this:

mysql> SET SESSION query_cache_type = OFF;

To control the maximum size of individual query results that can be cached, set the query_cache_limit variable. The default value is 1MB.

The result of a query (the data sent to the client) is stored in the query cache during result retrieval. Therefore the data is usually not handled in one big chunk. The query cache allocates blocks for storing this data on demand, so when one block is filled, a new block is allocated. Because memory allocation operation is costly (time wise), the query cache allocates blocks with a minimum size given by the query_cache_min_res_unit system variable. When a query is executed, the last result block is trimmed to the actual data size so that unused memory is freed. Depending on the types of queries your server executes, you might find it helpful to tune the value of query_cache_min_res_unit:

  • The default value of query_cache_min_res_unit is 4KB. This should be adequate for most cases.
  • If you have a lot of queries with small results, the default block size may lead to memory fragmentation, as indicated by a large number of free blocks. Fragmentation can cause the query cache to have to delete queries from the cache due to lack of memory. In this case, you should decrease the value of query_cache_min_res_unit. The number of free blocks and queries removed due to pruning are given by the values of the Qcache_free_blocks and Qcache_lowmem_prunes status variables.
  • If you most of your queries have large results (check the Qcache_total_blocks and Qcache_queries_in_cache status variables), you can increase performance by increasing query_cache_min_res_unit. However, be careful to not make it too large (see the previous item).

query_cache_min_res_unit is present from MySQL 4.1.

5.10.4 Query Cache Status and Maintenance

You can check whether the query cache is present in your MySQL server using the following statement::

mysql> SHOW VARIABLES LIKE 'have_query_cache';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| have_query_cache | YES   |
+------------------+-------+

You can defragment the query cache to better utilize its memory with the FLUSH QUERY CACHE statement. The statement does not remove any queries from the cache.

The RESET QUERY CACHE statement removes all query results from the query cache. The FLUSH TABLES statement also does this.

To monitor query cache performance, use SHOW STATUS to view the cache status variables:

mysql> SHOW STATUS LIKE 'Qcache%';
+-------------------------+--------+
| Variable_name           | Value  |
+-------------------------+--------+
| Qcache_free_blocks      | 36     |
| Qcache_free_memory      | 138488 |
| Qcache_hits             | 79570  |
| Qcache_inserts          | 27087  |
| Qcache_lowmem_prunes    | 3114   |
| Qcache_not_cached       | 22989  |
| Qcache_queries_in_cache | 415    |
| Qcache_total_blocks     | 912    |
+-------------------------+--------+

Descriptions of each of these variables are given in section 5.2.4 Server Status Variables. Some uses for them are described here.

<total number of SELECT queries> = Com_select + Qcache_hits + <queries with errors found by parser>

Com_select = Qcache_inserts + Qcache_not_cached + <queries with errors found during fields/rights check>

The query cache uses variable-length blocks, so Qcache_total_blocks and Qcache_free_blocks may indicate query cache memory fragmentation. After FLUSH QUERY CACHE only a single free block remains.

Note: Every cached query requires a minimum of two blocks (one for the query text and one or more for the query results). Also, every table that is used by a query requires one block. However, if two or more queries use the same table, only one block needs to be allocated.

The information provided by the Qcache_lowmem_prunes status variable can help you tune the query cache size. It counts the number of queries that have been removed from the cache to free up memory for caching new queries. The query cache uses a least recently used (LRU) strategy to decide which queries to remove from the cache. Tuning information is given in section 5.10.3 Query Cache Configuration.


Go to the first, previous, next, last section, table of contents.