If you're thinking of limiting to the PHP worker process then all I have to do is wrap my SQL in PHP statements. I can still use SQL queries using the PHP worker which is a bit long winded but scriptable.

I can then use LOAD_FILE and SELECT INTO to read and write to files, but I won't be able to execute arbitrary code.

If the application user has access to mysql.user though I can then SELECT host, user, password FROM mysql.user; to get the credential details and password hashes, which can then be fed through a password cracker of my choice. Once I've done that I can reconfigure the worker to use the root mysql account, restart the PHP worker process and start sucking the database down or modifying it.

Of course, in theory you'd have some access to the database server beyond port 3306 such as SSH, in which case I'd look at grabbing mysql account info from /etc/passwd, then dropping ssh keys into that user's home directory so I can use key-based auth to get onto the box. This may or may not work (there's many variables) but I'm just writing that here to illustrate that breaking in as is with perl, there's more than one way to do it.