username and password should not be in command line

[dakira]

Big security isssue! This is really not a good idea.

public function dump($destinationFile)
{
    $command = sprintf('%smysqldump --user=%s --password=%s --host=%s --port=%s %s > %s',
        $this->getDumpCommandPath(),
        escapeshellarg($this->user),
        escapeshellarg($this->password),
        escapeshellarg($this->host),
        escapeshellarg($this->port),
        escapeshellarg($this->database),
        escapeshellarg($destinationFile)
    );
    return $this->console->run($command);
}

This will make the username and password show up in the process list. You should never do that. In a shared hosting environment it means other users know your db credentials.

Instead, write a mysql conf file to laravel storage containing the credentials and use it like this:

$command = sprintf(%smysqldump --defaults-extra-file=%s %s > %s',
    $this->getDumpCommandPath(),
    escapeshellarg($confFile)
    escapeshellarg($this->database),
    escapeshellarg($destinationFile)
);

the $confFile could look something like this

[client]
host     = localhost
user     = homestead
password = secret

PS: For extra credits; If you want to make the backup versionable (git) the command should produce the same results for unchanged databases. That only happens if you also use the arguments --skip-extended-insert and --skip-comments.

[freekmurze]

Thanks for your input. I'll tackle these issues very soon.

[freekmurze]

This issue is fixed in version 2.0.2

[dakira]

@freekmurze cool. thanks for picking up my suggestions!