MySQL avoid unauthorized reading and SQL Injection vulnerabilities in PHP
The LOAD DATA statement can load a file that is located on the server host, or it can load a file that is located on the client host when the LOCAL keyword is specified.
In a Web server environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to (assuming that a user could run any command against the SQL server). In this environment, the client with respect to the MySQL server actually is the Web server, not the remote program being run by the user who connects to the Web server. Attacker can take advantage of this SQL injection via PHP/perl etc.
Open my.cnf file:
# vi my.cnf
Append following line [mysqld] section
local-infile=0
Save and restart MySQL server:
# /etc/init.d/mysql restart
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- FreeBSD keep ports collection up to date in two easy steps
- Cracking Wireless WEP-104 in record time
- Copy MySQL database from one server to another remote server
- MySQL Proxy Load balancing and Failover Tutorial
- How to MySQL backup and data recovery with mysql-zrm
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!



Recent Comments
Yesterday ~ 4 Comments
Yesterday ~ 12 Comments
Yesterday ~ 6 Comments
Yesterday ~ 21 Comments
Yesterday ~ 1 Comment