Re: BLOCK SELECT INTO OUTFILE ?
Wednesday, August 24, 2005, 5:11:14 PM, you wrote: Hi, I am going to implement a mysql hosting, and I would to make a question, if a mysql-user with only a SELECT privilege make this query: SELECT * FROM table1 INTO OUTFILE '/mysqldb/data/test.sql'; the result is a file in this path with the content of the table. I could think that a malicious user can do several querys like this and fill my disk. How could I secure this command ? According to mysql manual The SELECT ... INTO OUTFILE 'file_name' form of SELECT writes the selected rows to a file. The file is created on the server host, so you must have the FILE privilege to use this syntax. The file cannot currently exist, which among other things prevents files such as /etc/passwd and database tables from being destroyed. So just don't give FILE privilege to malicious users -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: BLOCK SELECT INTO OUTFILE ?
On Wed, 2005-08-24 at 10:11 -0300, Alejandro Gad wrote: Hi, I am going to implement a mysql hosting, and I would to make a question, if a mysql-user with only a SELECT privilege make this query: SELECT * FROM table1 INTO OUTFILE '/mysqldb/data/test.sql'; the result is a file in this path with the content of the table. I could think that a malicious user can do several querys like this and fill my disk. How could I secure this command ? From the manual: http://dev.mysql.com/doc/mysql/en/select.html The SELECT ... INTO OUTFILE 'file_name' form of SELECT writes the selected rows to a file. The file is created on the server host, so you must have the FILE privilege to use this syntax. The file cannot currently exist, which among other things prevents files such as /etc/passwd and database tables from being destroyed. If you take away the FILE privilege they won't be able to write out the filesystem. -- Pat Adams Applications Programmer SYSCO Food Services of Dallas signature.asc Description: This is a digitally signed message part
