On Wed, 2005-08-24 at 10:11 -0300, Alejandro Gad wrote: > Hi, > > I am going to implement a mysql hosting, and I would to make a question, > if a mysql-user with only a "SELECT" privilege make this query: > > SELECT * FROM table1 INTO OUTFILE '/mysqldb/data/test.sql'; > > the result is a file in this path with the content of the table. > I could think that a malicious user can do several querys like this and fill > my disk. > How could I secure this command ?
From the manual: http://dev.mysql.com/doc/mysql/en/select.html "The SELECT ... INTO OUTFILE 'file_name' form of SELECT writes the selected rows to a file. The file is created on the server host, so you must have the FILE privilege to use this syntax. The file cannot currently exist, which among other things prevents files such as /etc/passwd and database tables from being destroyed." If you take away the FILE privilege they won't be able to write out the filesystem. -- Pat Adams Applications Programmer SYSCO Food Services of Dallas
signature.asc
Description: This is a digitally signed message part