-bash-4.1$ mysql -h 127.0.0.1 -P 8811 -e "select MD5(name), MAX(ssn) from test.masking"
------------------------------------------------------+

------------------------------------------------------+

------------------------------------------------------+

This can be easily done by checking also "column_def" "name", not only "column_def" "org_name", as above.

What cannot be done immediately is:

-bash-4.1$ mysql -h 127.0.0.1 -P 8811 -e "select MAX(name) AS mmm from test.masking"
-------

-------

-------

Adding a column alias with a function is something that cannot be checked in the result set but it must be done inspecting the input

Anything that cannot be performed by merely inspecting the resultset implies a massive change.

Masking the result of a statement like "select SUBSTRING(nation_id, 1) from table_1" effectively means that the parse tree of the statement must be made available to the filter, so that it can figure out whether a column to be masked (e.g. nation_id) is used as an argument to a function.

johan.wikman Alternate to using parse tree of the entire SQL statement is to do regex processing of the return column name in the result set - "column_def". "name" in addition to "column_def". "org_name"
(1) if "column_def" "org_name" is masked column then mask the data for the column in the result set
(2) if "column_def". "name" matches the following regex, then mask the data for the column in the result set

[a-z]*[A-Z]*[ ]*([ ]*<<masked-column>>[ ]*[,]*.*)

This regex covers patterns of <function-name>(<column-name>, zero or more parameters)

That's a good idea, but the regex needs to be more complex than that. It would not catch e.g.

select concat("", masked_column) from tbl;

Handled by MXS-1364 and MXS-1346