1 files changed, 10 insertions, 2 deletions

diff --git a/django/db/backends/mysql/client.py b/django/db/backends/mysql/client.py
index 79032c1207..95442a32b0 100644
--- a/django/db/backends/mysql/client.py
+++ b/django/db/backends/mysql/client.py
@@ -7,6 +7,7 @@ class DatabaseClient(BaseDatabaseClient):
     @classmethod
     def settings_to_cmd_args_env(cls, settings_dict, parameters):
         args = [cls.executable_name]
+        env = None
         db = settings_dict['OPTIONS'].get('db', settings_dict['NAME'])
         user = settings_dict['OPTIONS'].get('user', settings_dict['USER'])
         password = settings_dict['OPTIONS'].get(
@@ -27,7 +28,14 @@ class DatabaseClient(BaseDatabaseClient):
         if user:
             args += ["--user=%s" % user]
         if password:
-            args += ["--password=%s" % password]
+            # The MYSQL_PWD environment variable usage is discouraged per
+            # MySQL's documentation due to the possibility of exposure through
+            # `ps` on old Unix flavors but --password suffers from the same
+            # flaw on even more systems. Usage of an environment variable also
+            # prevents password exposure if the subprocess.run(check=True) call
+            # raises a CalledProcessError since the string representation of
+            # the latter includes all of the provided `args`.
+            env = {'MYSQL_PWD': password}
         if host:
             if '/' in host:
                 args += ["--socket=%s" % host]
@@ -46,4 +54,4 @@ class DatabaseClient(BaseDatabaseClient):
         if db:
             args += [db]
         args.extend(parameters)
-        return args, None
+        return args, env