I created a user without the FILE
privilege, and a web app connected to the DB with this user is still able to write text files on my localhost. To write these files, the program just uses fopen
and fwrite
.
I'm reading the document here, and it seems to me that FILE
allows query-level file-writing/reading LOAD DATA INFILE
. Am I interpreting this right?
Best Answer
Please note the FILE privilege as described in the Documentation
The context here refers to the DB User being able to read and write files on the DB Server using
LOAD DATA INFILE
SELECT ... INTO OUTFILE
LOAD_FILE()
These commands have their
fopen
andfwrite
commands issued from the mysqld server daemon, not the client program. Your web application is not restricted in any way from reading and writing ordinary files because you are doing so from the application layer, not the DB layer. If you click on each link to those three(3) commands, the FILE privilege is specifically mentioned.