[philo23]

It appears to be a pretty serious issue. The SQL injection alone is bad but the ability to run basically any PHP code through callbacks makes the problem that much worse.

[mappu]

SQL injection alone is often enough to get you RCE if your MySQL account has FILE permissions enabled (often true). Something like `SELECT "<?php eval($_GET['x'])" INTO OUTFILE /srv/www/backdoor.php`.

[meowface]

>(often true)

I don't think it's that often. By default, a new MySQL user will not have FILE privileges granted.

Most of the time you see this due to the developer being lazy and just using the "root" MySQL user.

[Ded7xSEoPKYNsDd]

This would also depend on hilariously bad permissions on /srv/www that allow the mysql user to create files there.