Wednesday, August 24, 2005, 5:11:14 PM, you wrote: > Hi,
> I am going to implement a mysql hosting, and I would to make a question, > if a mysql-user with only a "SELECT" privilege make this query: > SELECT * FROM table1 INTO OUTFILE '/mysqldb/data/test.sql'; > the result is a file in this path with the content of the table. > I could think that a malicious user can do several querys like this and fill > my disk. > How could I secure this command ? According to mysql manual "The SELECT ... INTO OUTFILE 'file_name' form of SELECT writes the selected rows to a file. The file is created on the server host, so you must have the FILE privilege to use this syntax. The file cannot currently exist, which among other things prevents files such as /etc/passwd and database tables from being destroyed." So just don't give FILE privilege to malicious users > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: > http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
