ID: 23779 User updated by: php at jkt dot wz dot cz Reported By: php at jkt dot wz dot cz -Status: Closed +Status: Open Bug Type: MySQL related Operating System: any -PHP Version: 4.3.1 +PHP Version: 4.3.3-dev Assigned To: georg New Comment:
ad http://cvs.php.net/co.php/php4/ext/mysql/php_mysql.c?login=2&r=1.174.2.14 : i don't think this solution is perfect; better fix might be to introduce new php.ini option 'mysql.local_infile' and don't operate with open_basedir... btw, i looked at http://cvs.php.net/co.php/php4/ext/mysql/php_mysql.c?login=2&r=1.192 (newest version??) and i was unable to find the fix.. (but i'm not too familiar with cvs) Previous Comments: ------------------------------------------------------------------------ [2003-05-30 08:00:44] [EMAIL PROTECTED] This bug has been fixed in CVS. In case this was a PHP problem, snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites in short time. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2003-05-27 03:07:27] [EMAIL PROTECTED] Hmm.. ...assigned to myself ------------------------------------------------------------------------ [2003-05-27 02:53:25] php at jkt dot wz dot cz a) not security hole in mysql, it's problem of php b) you don't need file privileges for 'load data local infile' solution: add php.ini option mysql_local_infile; in mysql_connect() check for 128 and if not enabled, clear it (ie. option&0x7f) ------------------------------------------------------------------------ [2003-05-24 01:34:19] [EMAIL PROTECTED] It's not a security hole. This only works when the connected user has file privileges. ------------------------------------------------------------------------ [2003-05-23 19:10:18] [EMAIL PROTECTED] After a bit more thinking, this is not really PHP problem to solve, it's a security hole in Mysql.. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/23779 -- Edit this bug report at http://bugs.php.net/?id=23779&edit=1
