Bug #1271 Undefined variable in PASSWORD() function is not handled correctly
Submitted: 13 Sep 2003 4:01 Modified: 21 Oct 2003 8:25
Reporter: Indrek Siitan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.0, 4.1 OS:Any (any)
Assigned to: Sergei Golubchik

[13 Sep 2003 4:01] Indrek Siitan
Description:
Passing an undefined variable to the PASSWORD() function eliminates it from the WHERE clause.

How to repeat:
create table temp_table (
name VARCHAR(50) NOT NULL PRIMARY KEY,
pw VARCHAR(16) NOT NULL);

INSERT INTO temp_table (name, pw) 
VALUES ('tom', PASSWORD('my_pw'));

SET @pass='my_pw';
SET @wrong='incorrect';

mysql> SELECT name FROM temp_table WHERE name='tom' AND pw=PASSWORD(@pass);
+------+
| name |
+------+
| tom  |
+------+
1 row in set (0.00 sec)

mysql> SELECT name FROM temp_table WHERE name='tom' AND pw=PASSWORD(@wrong);
Empty set (0.00 sec)

mysql> SELECT name FROM temp_table WHERE name='tom' AND pw IS NULL;
Empty set (0.00 sec)

(correct)

mysql> SELECT name FROM temp_table WHERE name='tom' AND pw=PASSWORD(@undefined); 
+------+
| name |
+------+
| tom  |
+------+
1 row in set (0.00 sec)

(wrong)
[21 Oct 2003 8:25] Sergei Golubchik
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Fixed in 4.0.17