Hi! On Mar 05, Dr. R. Rajaraman wrote: > Hi, > > I am a new user (hardly a month old) to mysql. > > My configuration: > P4 with Windows 2000 prof, apache, PHP4.3, Mysql > 4.0.11-gamma, phpmyadmin > 2.4.0. > > Now my problem is, a user with no privilege is able to run SQL command > TRUNCATE <table> to empty any table! > > First I reported it to phpmyadmin team and after lengthy discussion, I > was advised to report to you.
Yes, you are right. To have bug fixed it's usually a good idea to report it to vendor :) Still proper places for reporting bugs are [EMAIL PROTECTED] - for security-related bugs [EMAIL PROTECTED] - for other bugs > Since it is a serious security hole, I would like to get rid of it at > the earliest. I wasn't able to repeat it. =================== mysql> select current_user(); +----------------+ | current_user() | +----------------+ | @localhost | +----------------+ 1 row in set (0.00 sec) mysql> show grants for ''@'localhost'; +--------------------------------------+ | Grants for @localhost | +--------------------------------------+ | GRANT USAGE ON *.* TO ''@'localhost' | +--------------------------------------+ 1 row in set (0.00 sec) mysql> truncate table test.a; ERROR 1044: Access denied for user: '@localhost' to database 'test' =================== Please, provide more information about this bug. At least, show the output from the command sequence as above. Regards, Sergei -- MySQL Development Team __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik <[EMAIL PROTECTED]> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/ /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany <___/ --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
