Hi Folks:
Gerard Onorato wrote on the PHP-GENERAL mailing list:
>
> Security Advisory DW020203-PHP
> Release: 3rd February 2002
> PHP Safe Mode Filesystem Circumvention Problem
>
> ... snip ...
>
> FIX
> Currently, no fix exists.
> ... snip ...
> A suggested fix for the PHP developers might be to scan
> mysql_query()s for strings similar to "LOAD DATA LOCAL INFILE".
But they're forgetting about MySQL's permission handling. The LOAD DATA
command can be controlled by the File_priv permission at the User level.
Also, the Insert_priv can be regulated at many levels, including the User,
Database, table and column level. Naturally, if one can't insert, there's no
way for them to run a LOAD DATA statement.
Enjoy,
--Dan
--
PHP scripts that make your job easier
http://www.analysisandsolutions.com/code/
SQL Solution | Layout Solution | Form Solution
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7 Ave, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
