MySQL takes several measures to prevent misuse of user-defined functions.
UDF object files cannot be placed in arbitrary directories.
They must be located in some system directory that the dynamic
linker is configured to search. To enforce this restriction
and prevent attempts at specifying path names outside of
directories searched by the dynamic linker, MySQL checks the
shared object file name specified in
CREATE FUNCTION statements for
path name delimiter characters. As of MySQL 5.0.3, MySQL also
checks for path name delimiters in file names stored in the
mysql.func table when it loads functions.
This prevents attempts at specifying illegitimate path names
through direct manipulation of the
mysql.func table. For information about
UDFs and the runtime linker, see
Section 220.127.116.11, “Compiling and Installing User-Defined Functions”.
CREATE FUNCTION or
DROP FUNCTION, you must have
DELETE privilege, respectively,
mysql database. This is necessary
because those statements add and delete rows from the
UDFs should have at least one symbol defined in addition to
xxx symbol that corresponds to the main
xxx() function. These auxiliary symbols
correspond to the
xxx_add() functions. As of MySQL 5.0.3,
mysqld supports an
that controls whether UDFs that have only an
xxx symbol can be loaded. By default, the
option is off, to prevent attempts at loading functions from
shared object files other than those containing legitimate
UDFs. If you have older UDFs that contain only the
xxx symbol and that cannot be recompiled to
include an auxiliary symbol, it may be necessary to specify
option. Otherwise, you should avoid enabling this capability.