Matthias Pigulla wrote:
Hi all,
Hi Matthias,
I hope this is the right place and right way to submit this patch?
Usually, the recommended place is our patch tracker.
As you probably know, MySQL has disabled the "LOCAL" option for "LOAD DATA INFILE" statements for security reasons as of MySQL 3.23.49. To be able to use "LOAD DATA LOCAL", you will have to add
local-infile = 1
to both you server's and client's my.cnf files. (Please be aware of the security implications!)
However, when using the mysql client bundled with PHP, these settings don't apply. Instead, you will have to pass the appropriate flag as an extra parameter to mysql_connect.
This patch adds a new config directive $cfg['Servers'][..]['infile_local'] = (TRUE | FALSE). Setting it to "TRUE" enables the mysql client bundled with PHP to use "LOAD DATA LOCAL" for this connection.
I intend to test your patch. However, I suggest to not add a new config parameter to config.inc.php but always pass the 128 flag. Here is why.
Reading about the security issues http://dev.mysql.com/doc/mysql/en/LOAD_DATA_LOCAL.html
The first issue is not really an issue, IMO. Usually, ISPs do not let their Web server access an external MySQL server (which would have been "patched").
The second issue: well, if the ISP is concerned with this, he just has to disable the LOCAL feature into the server. And if the feature is enabled, any Web developer can code his application to use it, regardless of the setting in a "central" phpMyAdmin. Not mentionning that the user can install his own copy of phpMyAdmin and enable the feature.
P.S. for mysqli, we should have a look at mysqli_options().
Thanks for the patch,
Marc Delisle
Without having tested it, you should be able to use LOAD DATA LOCAL without setting this option if you compiled PHP with --with-mysql=/path/to/mysql (thus you did not use the client bundled with PHP) and setup my.cnf correctly.
Even when passing the additional parameter to mysql_(p)connect, the use of open_basedir may restrict its usage.
Besides that, there was a typo in mysql.dbi.lib.php that prevented passing the $client_flags to mysql_(p)connect at all; so far, that should have broken the use of MYSQL_CLIENT_COMPRESS.
Best regards, Matthias
diff -ru phpMyAdmin-2.6.0-rc2/config.inc.php www/config.inc.php --- phpMyAdmin-2.6.0-rc2/config.inc.php Sat Sep 4 15:40:11 2004 +++ www/config.inc.php Mon Sep 20 12:09:00 2004 @@ -71,6 +71,7 @@ $cfg['Servers'][$i]['socket'] = ''; // Path to the socket - leave blank for default socket $cfg['Servers'][$i]['connect_type'] = 'tcp'; // How to connect to MySQL server ('tcp' or 'socket') $cfg['Servers'][$i]['extension'] = 'mysql'; // The php MySQL extension to use ('mysql' or 'mysqli') +$cfg['Servers'][$i]['infile_local'] = TRUE; // Upon mysql_connect, set client flag to allow for 'LOAD DATA LOCAL INFILE' $cfg['Servers'][$i]['compress'] = FALSE; // Use compressed protocol for the MySQL connection // (requires PHP >= 4.3.0) $cfg['Servers'][$i]['controluser'] = ''; // MySQL control user settings
diff -ru phpMyAdmin-2.6.0-rc2/libraries/dbi/mysql.dbi.lib.php www/libraries/dbi/mysql.dbi.lib.php --- phpMyAdmin-2.6.0-rc2/libraries/dbi/mysql.dbi.lib.php Sun Jul 18 00:58:31 2004 +++ www/libraries/dbi/mysql.dbi.lib.php Mon Sep 20 12:05:19 2004 @@ -47,11 +47,14 @@ ? '' : ':' . $cfg['Server']['socket'];
$client_flags = 0;
$client_flags = $cfg['Server']['compress'] && defined('MYSQL_CLIENT_COMPRESS') ? MYSQL_CLIENT_COMPRESS : 0;
$client_flags |= $cfg['Server']['compress'] && defined('MYSQL_CLIENT_COMPRESS') ? MYSQL_CLIENT_COMPRESS : 0;$client_flags |= $cfg['Server']['infile_local'] ? 128 : 0; /* CLIENT_LOCAL_FILES as defined in PHP's /ext/mysql/libmysql/mysql_com.h */
- if (empty($client_clags)) {
- if (empty($client_flags)) { $connect_func = 'mysql_' . ($cfg['PersistentConnections'] ? 'p' : '') . 'connect'; $link = @$connect_func($cfg['Server']['host'] . $server_port . $server_socket, $user, $password); } else {