Bug #68764 Client FILE permission passed on to server
Submitted: 25 Mar 2013 16:01
Reporter: Programmer Old Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Server Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any

[25 Mar 2013 16:01] Programmer Old 
Description:
As suggested in MySQL help-pages, a hosting company denys the hosted websites the privilege FILE, for the listed cogent reasons--but if the server opened files with the client s permission, not its own (as in Unix s set-user-id), there would be much less risk, enough less that sometimes FILE would be allowed.

How to repeat:
A web form with input type=file appears, and the uploaded file is there for form-method PHP script to handle, but FILE permission is needed for using FILE in "INSERT INTO ... FILE(...) ...". If somehow the same permission allowed the PHP script was allowed the server on the user who from PHP sent the server the request s behalf, there would be no reason to forbid it.
It is better to use FILE than to read the file into the SQL query and make it absurdly long.

Suggested fix:
Add to FILE, LOAD DATA, INTO OUTFILE a parameter that requests passing to the server the client s permissions--or simply always pass them.