Ref T13238. See PHI1014. To attempt to defuse attacks based on "LOAD DATA INFILE LOCAL", set MYSQLI_OPT_LOCAL_INFILE. This option is documented as disabling local file loads.
This doesn't actually work for me: I can still "LOAD DATA INFILE LOCAL" with this option set. However, it probably can't hurt? I'll dig into this a bit more before I land this change, I suspect this option must work sometimes and maybe it's just detecting that my client and server are both the same host or something. (Some amount of digging at least suggests this might be a simple bug where mysqli. allow_local_infile is overwriting the options() call.)
Separately, capture and raise errors from mysqli->query() which do not set the connection error code more accurately. Before this change, trying "LOAD DATA INFILE LOCAL" with "mysqli.allow_local_infile = 0" raised Error #0: .
Now, it raises EXCEPTION: (AphrontQueryException) #777777: mysqli::query(): LOAD DATA LOCAL INFILE forbidden.