The next change is to disable the use of the "LOAD DATA LOCAL INFILE" command, which will help to prevent unauthorized reading from local files. This is especially important when new SQL Injection vulnerabilities in PHP applications are found.
In addition, in certain cases, the "LOCAL INFILE" command can be used
to gain access to other files on the operating system, for instance
"/etc/passwd", using the following command:
mysql> LOAD DATA
LOCAL INFILE '/etc/passwd' INTO TABLE table1
Or even simpler:
mysql> SELECT
load_file("/etc/passwd")
To disable the usage of the "LOCAL
INFILE" command, the following parameter should be added in the
[mysqld] section of the MySQL configuration
file.
set-variable=local-infile=0
Or
secure-file-priv=/var/tmp
댓글