I was looking at the posting from James E. Flemer [EMAIL PROTECTED]
and decided to try adding a bit more to it.
** This code is compiled, but not tested **
As noted in the comments, it would need work in a threaded
environment. However, if anyone would like to look at this and see if
it
Yes, it does disable all LOAD DATA cases, including files
from the server ... Be my guest to extend it. Like I said,
I was writing this for a client, not for the PHP tree.
It would take a few more states in the loop to check for
the LOCAL keyword... because if you notice the syntax is:
LOAD
At 08:15 AM 2/5/2002, Rasmus Lerdorf wrote:
The fact that 3rd party libs can load arbitrary files is not a new
concept. Every time I give a moderately detailed PHP talk I mention the
fact that there is a way to load a file through the oci8 libs. Of course
it can be done through the mysql libs
At 08:15 AM 2/5/2002, Rasmus Lerdorf wrote:
The fact that 3rd party libs can load arbitrary files is not a new
concept. Every time I give a moderately detailed PHP talk I mention the
fact that there is a way to load a file through the oci8 libs. Of course
it can be done through the mysql
Well, I understand the concerns with trying to patch all
libs that PHP uses. However mysql seems to be a *major*
extension, as in it is very heavily used. I had to write
this patch anyway for a client, so I will post the patch
here. If people don't like it, they can ignore it. If
enough people do
- [EMAIL PROTECTED]% (James E. Flemer):
This patch I think will catch all cases, unless there is
some way that mysql can escape characters (\x44 or
something).
As far as i can see, this patch will disable all LOAD DATA-cases, this
will however disable a feature in MySQL for loading files that
Comments on this? I am going to take a look at the code in
the mysql extension, and at the code in mysql as well
tomorrow. Not sure if this is directly a PHP problem (vs a
mysql problem), but it is something that PHP *could* block
it seems.
-James
-- Forwarded message --
Date:
BTW I just noticed that this has been entered as bug
#15375.
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
We have always said that safe mode isn't very safe. I'm sure there are
other ways of circumventing it.
Unless a few people focus specifically on safe mode I don't think this will
change.
Andi
At 12:26 AM 2/5/2002 -0500, James E. Flemer wrote:
BTW I just noticed that this has been entered as
On Mon, 2002-02-04 at 22:23, James E. Flemer wrote:
Comments on this? I am going to take a look at the code in
the mysql extension, and at the code in mysql as well
tomorrow. Not sure if this is directly a PHP problem (vs a
mysql problem), but it is something that PHP *could* block
it seems.
The fact that 3rd party libs can load arbitrary files is not a new
concept. Every time I give a moderately detailed PHP talk I mention the
fact that there is a way to load a file through the oci8 libs. Of course
it can be done through the mysql libs as well. This is not a new concept.
All
11 matches
Mail list logo