Fix MariaDB 11.4+ warnings with --no-defaults flag

[Copilot]

MariaDB 11.4+ emits SSL verification warnings when MYSQL_PWD is used with --no-defaults, treating the environment variable as "no password provided" for SSL purposes.

Changes

Added --ssl-verify-server-cert flag conditionally only for MariaDB (not MySQL) to all MySQL/mysqldump commands using --no-defaults in src/Context/FeatureContext.php:

• create_db() - CREATE DATABASE command
• test_connection() - connection test query
• drop_db() - DROP DATABASE command
• install_wp() - mysql source and mysqldump commands

Implementation

Created a helper method is_mariadb() to detect MariaDB installations:

private static function is_mariadb( $binary_path ) {
    return false !== strpos( basename( $binary_path ), 'mariadb' );
}

The flag is then added conditionally:

$ssl_flag = self::is_mariadb( self::$mysql_binary ) ? ' --ssl-verify-server-cert' : '';
self::run_sql( self::$mysql_binary . ' --no-defaults' . $ssl_flag, [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

Before

self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

After

// MariaDB
self::run_sql( self::$mysql_binary . ' --no-defaults --ssl-verify-server-cert', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

// MySQL (unchanged)
self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );

This suppresses the warning for MariaDB without changing MySQL behavior. The detection uses basename() to check if the binary name contains 'mariadb', making it reliable for standard installations.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Using MYSQL_PWD causes warnings in recent versions of MariaDB</issue_title>
<issue_description>Background: We remove the password from any mysql commands and store it in the MYSQL_PWD env var:

https://github.com/wp-cli/wp-cli/blob/aeae8711ad62327b943f2fb9d1ed8770dd01b4d6/php/utils.php#L596-L599

This practice used to be encouraged years ago with the idea being that if you send the password on the command line anybody can see it in the output of ps / top / etc...

The problem is, you can also see env vars in these tools as well (ps aux e for example), so you can't really hide the password that way either. On modern systems it is easy and common to make it so users just can't see other users processes, which is the more secure method (see hidepid)

MariaDB specifically discourages using MYSQL_PWD:

https://mariadb.com/kb/en/mariadb-environment-variables/

Default password when connecting to mysqld. It is strongly recommended to use a more secure method of sending the password to the server.

And as of this commit from last year: MariaDB/server@853bdf5

It now displays a warning when the following conditions are true:

* --ssl-verify-server-cert was not enabled explicitly, and
* CA was not specified, and
* fingerprint was not specified, and
* protocol is TCP, and
* no password was provided

These conditions are true for wp-cli, because we use MYSQL_PWD which MariaDB considers to be no password was provided (here).

This is normally fixable by adding this to the config:

[client-mariadb]
ssl-verify-server-cert

But it doesn't remove the warnings in our test environment because we use --no-defaults in several places, which tells MariaDB to ignore the config file:

wp-cli-tests/src/Context/FeatureContext.php

Lines 994 to 1004 in c388578

	$dbname = self::$db_settings['dbname'];
	self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "CREATE DATABASE IF NOT EXISTS $dbname" ] );
	}
	public function drop_db() {
	if ( 'sqlite' === self::$db_type ) {
	return;
	}
	$dbname = self::$db_settings['dbname'];
	self::run_sql( self::$mysql_binary . ' --no-defaults', [ 'execute' => "DROP DATABASE IF EXISTS $dbname" ] );
	}

Additionally, our tests use that as well: https://github.com/search?q=repo%3Awp-cli%2Fdb-command%20--no-defaults&type=code

So our CI tests for MariaDB don't work because many SQL commands emit the warning:

WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.

Probably the correct solution overall is to not use MYSQL_PWD as it is discouraged. Alternatives would possibly be manually adding --disable-ssl-verify-server-cert (or --ssl-verify-server-cert) to all of these commands. I believe the issue isn't with the option itself, but when the option is not explicitly stated AND there is no password sent as part of the command.

related slack discussion</issue_description>

Comments on the Issue (you are @copilot in this section)

@mrsdizzie Steps to test and reproduce this locally: ``` docker run --name mariadb-test \ -e MARIADB_ROOT_PASSWORD=root \ -e MARIADB_USER=wp_cli_test \ -e MARIADB_PASSWORD=password1 \ -e MARIADB_DATABASE=wp_cli_test \ -d mariadb:11.4

docker exec -it mariadb-test bash

Using password directly works with no warning

root@154e63c58cd5:/# mariadb -u wp_cli_test -p'password1' -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Using MYSQL_PWD works but causes warning

root@154e63c58cd5:/# export MYSQL_PWD=password1
root@154e63c58cd5:/# mariadb -uwp_cli_test -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Edit /etc/mysql/my.cnf and add:

[client-mariadb]

ssl-verify-server-cert

Now works without warning

root@154e63c58cd5:/# mariadb -u wp_cli_test -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Using --no-defaults ignores the config file and warning is back

root@154e63c58cd5:/# mariadb --no-defaults -u wp_cli_test -h 127.0.0.1 --port=3306 --protocol=tcp -e "SHOW DATABASES;"
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
+--------------------+
| Database |
+--------------------+
| information_schema |
| wp_cli_test |
+--------------------+

Adding --ssl-verify-server-cert directly to command removes warning:

root@154e63...

• Fixes Using MYSQL_PWD causes warnings in recent versions of MariaDB wp-cli#6073

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/Context/FeatureContext.php	0.00%	14 Missing ⚠️

📢 Thoughts on this report? Let us know!

[swissspidy]

@copilot add this flag only if 'mariadb' === self::$db_type

[Copilot]

@copilot add this flag only if 'mariadb' === self::$db_type

Done in commit 30a9efa. The --ssl-verify-server-cert flag is now added only when using MariaDB by checking if the binary path contains 'mariadb'.