Jennifer, > Why would they have to do that? The file does not need to be in that > directory. In order to use LOAD DATA INFILE without LOCAL the file just > needs to be somewhere on the server that mysqld is running on
Exactly this is the point. Most ISPs (at least all the big ones who offer MySQL here in Germany) have their MySQL servers running on separate machines. As a regular customer (this applies to business customers as well) you will get _no_ account at all on the MySQL host machines. This is why you _have_ to use LOCAL to bulk import data. > Obviously this does not negate the fact that LOCAL is sometimes needed, but > allowing all users to write to mysql/bin is not needed at all for any reason > that I can see. Maybe I am missing something? No, this was just an extreme example, thus the smiley ;-) > From the docs -- http://www.mysql.com/doc/en/LOAD_DATA.html > "If the LOCAL keyword is specified, the file is read from the client host. > If LOCAL is not specified, the file must be located on the server. (LOCAL is > available in MySQL Version 3.22.6 or later.)" This is the way it _should_ be, and the way it _was_ until 4.0.1 or so. With the recent versions (I tested 4.0.5 and 4.0.7 binary distributions), LOCAL will not work at all. This is a bug, not a (security) feature. Regards, -- Stefan Hinz <[EMAIL PROTECTED]> Geschäftsführer / CEO iConnect GmbH <http://iConnect.de> Heesestr. 6, 12169 Berlin (Germany) Tel: +49 30 7970948-0 Fax: +49 30 7970948-3 ----- Original Message ----- From: "Jennifer Goodie" <[EMAIL PROTECTED]> To: "Stefan Hinz, iConnect (Berlin)" <[EMAIL PROTECTED]>; "Charles Mabbott" <[EMAIL PROTECTED]>; "'Prathmesh J. Mahidharia'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, January 08, 2003 11:21 PM Subject: RE: Re: Load local data infile problem > >Imagine an ISP giving every customer write privileges for the mysql/bin > directory ... ;-/ > > Why would they have to do that? The file does not need to be in that > directory. In order to use LOAD DATA INFILE without LOCAL the file just > needs to be somewhere on the server that mysqld is running on and be > readable by the mysqld user. I load my files in from my home directory > because I don't think the mysql base dir and data dir are a great spot to > arbitrarily put files (and I don't have permission to them w/o su-ing). If > you are connecting via localhost, have FILE permission on the DB, and can > create a readable file somewhere on that server, you would be fine. > > We do not allow LOCAL on our servers as we are running replication and > 3.23.54 won't support it. I do not have write permission to any directories > except my home directory. I have never run into any problems with LOAD DATA > that were not my own fault, usually it is error 13 because I typed the path > wrong or didn't chmod the file. > > Obviously this does not negate the fact that LOCAL is sometimes needed, but > allowing all users to write to mysql/bin is not needed at all for any reason > that I can see. Maybe I am missing something? > > From the docs -- http://www.mysql.com/doc/en/LOAD_DATA.html > "If the LOCAL keyword is specified, the file is read from the client host. > If LOCAL is not specified, the file must be located on the server. (LOCAL is > available in MySQL Version 3.22.6 or later.)" > > > -----Original Message----- > From: Stefan Hinz, iConnect (Berlin) [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 08, 2003 9:40 AM > To: Charles Mabbott; 'Prathmesh J. Mahidharia'; [EMAIL PROTECTED] > Subject: Re: Load local data infile problem > > > Charles, > > >> I posted the same problem a couple of days ago. LOCAL will not work > >> because of a security "improvement" the MySQL folks applied. > > > LOAD DATA INFILE "C:\\mysql\\fred.txt" INTO TABLE data_table; > > Hope this helps, but only a workaround... > > Without LOCAL, quite alot of things will not work. Imagine an ISP giving > every customer write privileges for the mysql/bin directory ... ;-/ > > Unfortunately, Monty did'nt mention if this is fixed in 4.0.8 or going > to be fixed in 4.0.9 or 4.1. Personally, I regard this security > "improvement" rather a bug than a feature. > > > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
