MYSQL disable SELECT BENCHMARK

how would I disable the mysql benchmark function, thus not being subject to blind sql injection attacks such as "select开发者_如何转开发 if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' );"

select * from func does not show up a function benchmark.

Kind Regards Charles

The best practice advise is to escape data before passing to the query or create prepared statements. Unfortunately not only benchmark function is that dangerous, so you would need to disable others ...

I have found this answer !

....
echo preg_match("/^([\'\)\"a-zA-Z0-9])+([0-255[:ascii:]])+select+([0-255[:ascii:]])+([\-])+([0-255[:ascii:]])+$/","8' union select 1 from --");
echo preg_match("/^([\'\)\"\(a-zA-Z0-9])+([0-255[:ascii:]])+benchmark+([0-255[:ascii:]])+([\-])+([0-255[:ascii:]])+$/","select if( user() like 'root@%', benchmark(100000,sha1('test')), 'false' )--");
....

@Charles I agree that eliminating the BENCHMARK function without first addressing root causes (input validation, etc.) is putting the horse before the cart. But I disagree that it's a picket fence or useless entirely.

Assuming that (a) it's relatively easy to disable, and (b) disabling it doesn't create new vulnerabilities, why not do it? To me it's not a second measure of defense but a first step in securing the system: disabling any and all services & functions not being used. Otherwise you're just arming an attacker's toolbox with one more potential tool - let alone a tool that's well-documented and built into every push-button BlackBox out there!

I think the biggest problem I have with your argument stems not from the debate about whether to enable or disable BENCHMARK, but your assumption that parametric queries are infallible. Putting too much faith into one system and having a false sense of security is much more dangerous than not disabling a feature like BENCHMARK. Who's to say that Oracle/Microsoft/etc. don't introduce a bug in future releases? Who's to say there isn't a bug in it right now just waiting to be discovered? And who's to say you can trust every person working on the code?