Ken Bass wrote:
If a table is used to maintain user information, then when a row is
deleted (presumably to remove all information about one user) there
should be no trace of that user's information left anywhere. Not at
the SQL level, not at the file level, and also not at the disk level.
Simple--just stop making regular backups of your databases. That will
ensure that at some time in the future, all your data will be lost,
without possibility of recovery. But I suppose you want to be able to
have this happen on a schedule that _you_ control. ;-)
But seriously...
For what it's work, you should not rely on the multiple-UPDATE method to
overwrite data if you use InnoDB tables. If I understand it correctly,
InnoDB is a multi-versioning engine, so each UPDATE creates a new
version of the record, leaving past records in the file so that any
outstanding transactions can still read them. So the sequence of bytes
will still exist in the database file for a somewhat indeterminant
amount of time.
What I would do to eliminate data complete is:
1) Use simple SQL DELETE statements to remove the records as per normal.
2) Replicate database db1 to db2 so that all remaining data is preserved.
3) Destructively delete the files for db1 using a specialized tool for
that purpose.
This is in lieu of DROP DATABASE; destroying the data files (for
MyISAM) accomplishes the same thing.
If you use InnoDB, this might take some more configuration, because
the default is to store all data for all InnoDB tables together in one file.
4) Make your applications switch over to using db2. Next time you do
this cycle, do it in the reverse order and have the applications switch
to db1 after you destroy db2.
Destructive delete tools are available for most popular operating
systems. The idea is that they do more than the standard operating
system file deletion; they overwrite the file's data destructively.
See for examples (but feel free to search the internet for other solutions):
http://www.thefreecountry.com/securi...redelete.shtml
However, the solution proposed above has a timing issue. It isn't
practical to do this every time you delete any record. So there exists
the possibility that sensitive data will be seized by the jack-booted
thugs before you do your periodic cleanup cycle.
Regards,
Bill K.