User-Defined Function Security Precautions
MySQL takes the following measures to prevent misuse of user-defined functions.
You must have the INSERT
privilege to be able to use CREATE FUNCTION
and the DELETE
privilege to be able to use DROP FUNCTION
. This is necessary because these statements add and delete rows from the mysql.func
table.
UDFs should have at least one symbol defined in addition to the xxx
symbol that corresponds to the main xxx()
function. These auxiliary symbols correspond to the xxx_init()
, xxx_deinit()
, xxx_reset()
, xxx_clear()
, and xxx_add()
functions. mysqld also supports an --allow-suspicious-udfs
option that controls whether UDFs that have only an xxx
symbol can be loaded. By default, the option is off, to prevent attempts at loading functions from shared object files other than those containing legitimate UDFs. If you have older UDFs that contain only the xxx
symbol and that cannot be recompiled to include an auxiliary symbol, it may be necessary to specify the --allow-suspicious-udfs
option. Otherwise, you should avoid enabling this capability.
UDF object files cannot be placed in arbitrary directories. They must be located in the server's plugin directory. This directory is given by the value of the plugin_dir
system variable.