INTO OUTFILE is a dangerous routine (as you've clearly demonstrated), but that
privilege must be specifically granted to a user before it's possible to
execute it. No sensible administrator would grant the FILE privilege to a
webserver application's database acccount.
Very true, but a good blackhat always keeps a good supply of ways to exploit
common stupid administrator mistakes. I'd not be surprised in the least if
more than 10% of the sites, some admin under time pressure to Just Fix It
assigned FILE privs to get the web application back up and running.