Cannot disable LOCAL INFILE ( for security reasons ) in mysql Ver 14.14 Distrib 5.5.25a, for debian-linux-gnu (i686) using readline 6.2 on ubuntu 12.04;
Here is my /etc/mysql/my.cnf
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
loose-local-infile=0
local-infile=0
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
local-infile=0
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
I do
sudo /etc/init.d/mysql restart
mysql -u root -p
mysql> SELECT load_file("/etc/passwd");
And it shows me my /etc/passwd content. So it didn't work.
Best Answer
From MySQL Docs for load_file reference, it can be seen that load_file is MySQL function that returns content of the file as string. It does nothing more than that. It has nothing to do with local_infile.
For security purpose, from same docs:
So if you set the system variable "secure_file_priv", then file has to be present in that particular directory. Moreover, user requires File level privileges to execute this statement. Simply do not give file level privileges to your users who are accessing database, if you want it to be secured.
Further local-infile is for LOAD DATA statements, which loads data into table, thereby affecting tables. It has nothing to do with load_file() function.