Skip to content

Ensure 'secure_file_priv' Is Not Empty


The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file.

It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL.


Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service rds
secureclouddb/engine mysql

Default Rule

const { getServerSetting, isEmpty } = module

 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the database instance has a path configured in secure_file_priv option that's not empty
function validate(databaseSettings) {
    const settingName = "secure_file_priv"
    const currentValue = getServerSetting(databaseSettings, settingName)
    const success = !isEmpty(currentValue)

    return {

// invoke