Vuln: MySQL MyISAM Table Privileges Secuity Bypass Vulnerability (source: SecurityFocus Vulnerabilities)

In all modern versions of MySQL (that is, beginning early in MySQL 4's development history) the use of the "CREATE TABLE ( ) DATA DIRECTORY ... INDEX DIRECTORY ..." command can be used to escalate privileges to access and change data created by other MySQL users. MySQL AB has changed MySQL 4 and MySQL 5 behavior to remedy this problem.

However, this is also a case to point out restricting direct RDBMS access to any untrusted system user or application and instead forcing all access to be made through the application layer. That is, of course, as long as one locks down the application layer's access to the RDBMS, too! Besides controlling access for security purposes, managing access at the application layer improves chance of enforcing business rules with the database (without resorting to stored procedures and triggers).

-- Robot Terror