DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(mysql.info.gz) LOAD DATA LOCAL

Info Catalog (mysql.info.gz) Privileges options (mysql.info.gz) Security 
 
 5.4.4 Security Issues with `LOAD DATA LOCAL'
 --------------------------------------------
 
 The `LOAD DATA' statement can load a file that is located on the server
 host, or it can load a file that is located on the client host when the
 `LOCAL' keyword is specified.
 
 There are two potential security issues with supporting the `LOCAL'
 version of `LOAD DATA' statements:
 
    * The transfer of the file from the client host to the server host
      is initiated by the MySQL server. In theory, a patched server
      could be built that would tell the client program to transfer a
      file of the server's choosing rather than the file named by the
      client in the `LOAD DATA' statement. Such a server could access
      any file on the client host to which the client user has read
      access.
 
    * In a Web environment where the clients are connecting from a Web
      server, a user could use `LOAD DATA LOCAL' to read any files that
      the Web server process has read access to (assuming that a user
      could run any command against the SQL server). In this
      environment, the client with respect to the MySQL server actually
      is the Web server, not the program being run by the user
      connecting to the Web server.
 
 
 To deal with these problems, we changed how `LOAD DATA LOCAL' is
 handled as of MySQL 3.23.49 and MySQL 4.0.2 (4.0.13 on Windows):
 
    * By default, all MySQL clients and libraries in binary
      distributions are compiled with the `--enable-local-infile'
      option, to be compatible with MySQL 3.23.48 and before.
 
    * If you build MySQL from source but don't use the
      `--enable-local-infile' option to `configure', `LOAD DATA LOCAL'
      cannot be used by any client unless it is written explicitly to
      invoke `mysql_options(... MYSQL_OPT_LOCAL_INFILE, 0)'.  
      `mysql_options()' mysql_options.
 
    * You can disable all `LOAD DATA LOCAL' commands from the server side
      by starting `mysqld' with the `--local-infile=0' option.
 
    * For the `mysql' command-line client, `LOAD DATA LOCAL' can be
      enabled by specifying the `--local-infile[=1]' option, or disabled
      with the `--local-infile=0' option.  Similarly, for `mysqlimport',
      the `--local' or `-L' option enables local data file loading. In
      any case, successful use of a local loading operation requires
      that the server is enabled to allow it.
 
    * If you use `LOAD DATA LOCAL' in Perl scripts or other programs that
      read the `[client]' group from option files, you can add the
      `local-infile=1' option to that group. However, to keep this from
      causing problems for programs that do not understand
      `local-infile', specify it using the `loose-' prefix:
 
           [client]
           loose-local-infile=1
 
      The `loose-' prefix can be used as of MySQL 4.0.2.
 
    * If `LOAD DATA LOCAL INFILE' is disabled, either in the server or
      the client, a client that attempts to issue such a statement
      receives the following error message:
 
           ERROR 1148: The used command is not allowed with this MySQL version
Info Catalog (mysql.info.gz) Privileges options (mysql.info.gz) Security
automatically generated byinfo2html