Sanitizing databases: MariaDB and Drupal
Back to home
On this page
Databases of live websites often contain personally identifiable information (PII) such as full names, mailing addresses, and phone numbers. To ensure people reviewing code changes can’t access information they shouldn’t, sanitize your databases of any PII that they may contain.
This example goes through the process for a MySQL database using Drupal.
Before you begin
You need:
- A project with a MySQL database.
- A command interface installed:
This guide is about sanitizing MySQL databases.
This guide doesn’t address:
- Sanitizing NoSQL Databases (such as MongoDB)
- Input validation and input sanitization, which both help prevent security vulnerabilities
Sanitize the database
Make sure that you only sanitize preview environments and never the production environment. Otherwise you may lose most or even all of the relevant data stored in your database.
First, take a database dump of your preview environment.
This is just a safety precaution.
Production data isn’t altered.
To get a database dump, run the following command:
upsun
db:dump -e DEVELOPMENT_ENVIRONMENT_NAME
.
Assumptions:
users
is the table where all of your PII is stored in thestaging
development database.staging
is an exact copy of your production database.
-
Connect to the
staging
database by runningupsun sql -e staging
. -
Display all fields from your
users
table, to select which ones need to be redacted. Run the following query:MariaDB [main]> SELECT * FROM users;
You see output like the following:
+----+------------+---------------+---------------------------+---------------+ | ID | first_name | last_name | user_email | display_name | +----+------------+---------------+---------------------------+---------------+ | 1 | admin | admin | admin@yourcompany.com | admin | | 2 | john | doe | john.doe@gmail.com | john | | 3 | jane | doe | janedoe@ymail.com | jane | +----+------------+---------------+---------------------------+---------------+
-
Change the fields where PII is contained with the
UPDATE
statement. For example, to change the display name of users with an email address not in your company’s domain to a random value, run the following query:UPDATE users SET display_name==substring(md5(display_name||'$PLATFORM_PROJECT_ENTROPY') for 8); WHERE email NOT LIKE '%@yourcompany%'
Adapt and run that query for all fields that you need to sanitize. If you modify fields that you shouldn’t alter, you can restore them from the dump you took in step 1.
You can create a script to automate the sanitization process to be run automatically on each new deployment. Once you have a working script, add your script to sanitize the database to a
deploy
hook:.upsun/config.yamlapplications: myapp: # ... hooks: deploy: | # ... cd /app/public if [ "$PLATFORM_ENVIRONMENT_TYPE" = production ]; then # Do whatever you want on the production site. else # The sanitization of the database should happen here (since it's non-production) sanitize_the_database.sh fi
To sanitize your database and get rid of sensitive, live information, use the drush sql:sanitize
command.
Add your script to sanitize the database to a deploy
hook
for preview environments:
applications:
myapp:
hooks:
deploy: |
# ...
cd /app/public
if [ "$PLATFORM_ENVIRONMENT_TYPE" = production ]; then
# Do whatever you want on the production site.
else
drush -y sql:sanitize
fi
drush -y updatedb
More options are available. These are described in the Drush documentation.
To sanitize only on the initial deploy and not all future deploys, use Drush state as in the following example:
applications:
myapp:
hooks:
deploy: |
# ...
cd /app/public
if [ "$PLATFORM_ENVIRONMENT_TYPE" = production ] || [ "$(drush state:get --format=string mymodule.sanitized)" != yes ]; then
# Do whatever you want on the production site.
else
drush -y sql:sanitize
drush state:set --input-format=string mymodule.sanitized yes
fi
What’s next
You learned how to remove sensitive data from a database.
To replace sensitive data that with other meaningful data, you can add a faker
to the process.
A faker
is a program that generates fake data that looks real.
Having meaningful PII-free data allows you to keep your current Q&A, external reviews, and other processes.
To add a faker, adapt your sanitizing queries to replace each value that contains PII with a new value generated by the faker.
You might also want to make sure that you implement input validation.
If your database contains a lot of data, consider using the OPTIMIZE TABLE
statement
to reduce its size and help improve performance.