[Phpmyadmin-devel] [Patch] Allow for "LOAD DATA INFILE" when using the PHP-bundled mysql client

Marc Delisle DelislMa at CollegeSherbrooke.qc.ca
Mon Sep 20 04:26:07 CEST 2004 

Matthias Pigulla wrote:
> Hi all,

Hi Matthias,

> 
> I hope this is the right place and right way to submit this patch?

Usually, the recommended place is our patch tracker.
> 
> As you probably know, MySQL has disabled the "LOCAL" option for "LOAD
> DATA INFILE" statements for security reasons as of MySQL 3.23.49. To be
> able to use "LOAD DATA LOCAL", you will have to add 
> 
> local-infile    = 1
> 
> to both you server's and client's my.cnf files. (Please be aware of the
> security implications!)
> 
> However, when using the mysql client bundled with PHP, these settings
> don't apply. Instead, you will have to pass the appropriate flag as an
> extra parameter to mysql_connect.
> 
> This patch adds a new config directive
> $cfg['Servers'][..]['infile_local'] = (TRUE | FALSE). Setting it to
> "TRUE" enables the mysql client bundled with PHP to use "LOAD DATA
> LOCAL" for this connection. 

I intend to test your patch. However, I suggest to not add a new config 
parameter to config.inc.php but always pass the 128 flag. Here is why.

Reading about the security issues
http://dev.mysql.com/doc/mysql/en/LOAD_DATA_LOCAL.html

The first issue is not really an issue, IMO. Usually, ISPs do not let 
their Web server access an external MySQL server (which would have been 
"patched").

The second issue: well, if the ISP is concerned with this, he just has 
to disable the LOCAL feature into the server. And if the feature is 
enabled, any Web developer can code his application to use it, 
regardless of the setting in a "central" phpMyAdmin. Not mentionning 
that the user can install his own copy of phpMyAdmin and enable the feature.

P.S. for mysqli, we should have a look at mysqli_options().

Thanks for the patch,

Marc Delisle
> 
> Without having tested it, you should be able to use LOAD DATA LOCAL
> without setting this option if you compiled PHP with
> --with-mysql=/path/to/mysql (thus you did not use the client bundled
> with PHP) and setup my.cnf correctly.
> 
> Even when passing the additional parameter to mysql_(p)connect, the use
> of open_basedir may restrict its usage.
> 
> Besides that, there was a typo in mysql.dbi.lib.php that prevented
> passing the $client_flags to mysql_(p)connect at all; so far, that
> should have broken the use of MYSQL_CLIENT_COMPRESS.
> 
> Best regards,
> Matthias
> 
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> diff -ru phpMyAdmin-2.6.0-rc2/config.inc.php www/config.inc.php
> --- phpMyAdmin-2.6.0-rc2/config.inc.php	Sat Sep  4 15:40:11 2004
> +++ www/config.inc.php	Mon Sep 20 12:09:00 2004
> @@ -71,6 +71,7 @@
>  $cfg['Servers'][$i]['socket']        = '';          // Path to the socket - leave blank for default socket
>  $cfg['Servers'][$i]['connect_type']  = 'tcp';       // How to connect to MySQL server ('tcp' or 'socket')
>  $cfg['Servers'][$i]['extension']     = 'mysql';     // The php MySQL extension to use ('mysql' or 'mysqli')
> +$cfg['Servers'][$i]['infile_local']  = TRUE;        // Upon mysql_connect, set client flag to allow for 'LOAD DATA LOCAL INFILE'
>  $cfg['Servers'][$i]['compress']      = FALSE;       // Use compressed protocol for the MySQL connection
>                                                      // (requires PHP >= 4.3.0)
>  $cfg['Servers'][$i]['controluser']   = '';          // MySQL control user settings
> 
> diff -ru phpMyAdmin-2.6.0-rc2/libraries/dbi/mysql.dbi.lib.php www/libraries/dbi/mysql.dbi.lib.php
> --- phpMyAdmin-2.6.0-rc2/libraries/dbi/mysql.dbi.lib.php        Sun Jul 18 00:58:31 2004
> +++ www/libraries/dbi/mysql.dbi.lib.php Mon Sep 20 12:05:19 2004
> @@ -47,11 +47,14 @@
>                     ? ''
>                     : ':' . $cfg['Server']['socket'];
>  
> +       $client_flags = 0;
>      if (PMA_MYSQL_CLIENT_API >= 32349) {
> -        $client_flags = $cfg['Server']['compress'] && defined('MYSQL_CLIENT_COMPRESS') ? MYSQL_CLIENT_COMPRESS : 0;
> +        $client_flags |= $cfg['Server']['compress'] && defined('MYSQL_CLIENT_COMPRESS') ? MYSQL_CLIENT_COMPRESS : 0;
> +        $client_flags |= $cfg['Server']['infile_local'] ? 128 : 0; /* CLIENT_LOCAL_FILES as defined in PHP's /ext/mysql/libmysql/mysql_com.h */
>      }
>  
> -    if (empty($client_clags)) {
> +
> +    if (empty($client_flags)) {
>          $connect_func = 'mysql_' . ($cfg['PersistentConnections'] ? 'p' : '') . 'connect';
>          $link = @$connect_func($cfg['Server']['host'] . $server_port . $server_socket, $user, $password);
>      } else {

More information about the Developers mailing list