Skip to content

Instantly share code, notes, and snippets.

@daniel-werner
Last active May 20, 2024 10:45
Show Gist options
  • Save daniel-werner/5ab30d2e5c566adaad3022f4da9e141d to your computer and use it in GitHub Desktop.
Save daniel-werner/5ab30d2e5c566adaad3022f4da9e141d to your computer and use it in GitHub Desktop.
#!/bin/bash
# Daniel Verner
# CarrotPlant LLC
# 2011
# Backup each mysql databases into a different file, rather than one big file
# Optionally files can be gzipped (dbname.gz)
#
# Usage: dump_all_databases [ -u username -o output_dir -z ]
#
# -u username to connect mysql server
# -o [output_dir] optional the output directory where to put the files
# -z gzip enabled
#
# Note: The script will prompt for a password, you cannot specify it as command line argument for security reasons
#
# based on the solution from: sonia 16-nov-05 (http://soniahamilton.wordpress.com/2005/11/16/backup-multiple-databases-into-separate-files/)
PROG_NAME=$(basename $0)
USER=""
PASSWORD=""
OUTPUTDIR=${PWD}
GZIP_ENABLED=0
GZIP=""
MYSQLDUMP="/usr/bin/mysqldump"
MYSQL="/usr/bin/mysql"
while getopts u:o:z OPTION
do
case ${OPTION} in
u) USER=${OPTARG};;
o) OUTPUTDIR=${OPTARG};;
z) GZIP_ENABLED=1;;
?) echo "Usage: ${PROG_NAME} [ -u username -o output_dir -z ]"
exit 2;;
esac
done
if [ "$USER" != '' ]; then
echo "Enter password for" $USER":"
oldmodes=`stty -g`
stty -echo
read PASSWORD
stty $oldmodes
fi
if [ ! -d "$OUTPUTDIR" ]; then
mkdir -p $OUTPUTDIR
fi
# get a list of databases
databases=`$MYSQL --user=$USER --password=$PASSWORD -e "SHOW DATABASES;" | grep -Ev "(Database|information_schema)"`
# dump each database in turn
for db in $databases; do
echo "$db"
if [ $GZIP_ENABLED == 1 ]; then
$MYSQLDUMP --force --opt --user=$USER --password=$PASSWORD --databases "$db" | gzip > "$OUTPUTDIR/$db.gz"
else
$MYSQLDUMP --force --opt --user=$USER --password=$PASSWORD --databases "$db" > "$OUTPUTDIR/$db.sql"
fi
done
@anarcat
Copy link

anarcat commented Oct 28, 2019

be careful when using this on a production server with untrusted users having CREATE DATABASE privileges.

this code:

for db in $databases; do
    echo $db
	if [ $GZIP_ENABLED == 1 ]; then
		$MYSQLDUMP --force --opt --user=$USER --password=$PASSWORD --databases $db | gzip > "$OUTPUTDIR/$db.gz"
	else
	    $MYSQLDUMP --force --opt --user=$USER --password=$PASSWORD --databases $db > "$OUTPUTDIR/$db.sql"
   	fi    
done

could allow an attacker to inject arbitrary code in the commandline because $db is not quoted anywhere.

See also this discussion of a similar problem in backupninja for more details, along with the two patches that try to address it.

@daniel-werner
Copy link
Author

@anarcat Thanks for the heads up!

I'll check and test the suggested solutions and will update the gist accordingly.

@anarcat
Copy link

anarcat commented Oct 28, 2019

i think that it might be simply a case of quoting ("$db") everywhere, in your case.

@daniel-werner
Copy link
Author

@anarcat Updated the gist. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment