Bug #16881 password() and union select
Submitted: 29 Jan 2006 8:12 Modified: 15 Aug 2006 3:26
Reporter: zhou ping Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.1, 5.0, 5.1 OS:Microsoft Windows (win2k, linux)
Assigned to: Jim Winstead

[29 Jan 2006 8:12] zhou ping
Description:
mysql> select password('mypass') union select version();
+--------------------+
| password('mypass') |
+--------------------+
| *6C8989366EAF      |
| 5.0.18             |
+--------------------+
2 rows in set (0.00 sec)

mysql> select password('mypass') union select database();
+------------------------------------+
| password('mypass')                 |
+------------------------------------+
| *6C8989366EAF75BB670AD8EA7A7FC1176 |
| NULL                               |
+------------------------------------+
2 rows in set (0.01 sec)

How to repeat:
mysql> select password('mypass') union select version();
+--------------------+
| password('mypass') |
+--------------------+
| *6C8989366EAF      |
| 5.0.18             |
+--------------------+
2 rows in set (0.00 sec)

mysql> select password('mypass') union select database();
+------------------------------------+
| password('mypass')                 |
+------------------------------------+
| *6C8989366EAF75BB670AD8EA7A7FC1176 |
| NULL                               |
+------------------------------------+
2 rows in set (0.01 sec)
[29 Jan 2006 8:14] zhou ping
xx

Attachment: php-mysql.php (application/octet-stream, text), 18.12 KiB.

[29 Jan 2006 10:32] Jorge del Conde
Thanks for your bug report.  I tested this under XP and FC4
[7 Apr 2006 23:03] Hartmut Holzgraefe
verified on linux, too, using different versions

also found that the field order doesn't matter:

select version() union select password('mypass');
+---------------+
| version()     |
+---------------+
| 5.1.9-beta    |
| *6C8989366EAF |
+---------------+
[7 Apr 2006 23:15] Hartmut Holzgraefe
also affects MD5() but not UUID() ... uploading test case ...
[7 Apr 2006 23:16] Hartmut Holzgraefe
test case

Attachment: bug16881.tar.gz (application/x-gunzip, text), 1006 bytes.

[21 Jul 2006 20:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/9433
[3 Aug 2006 16:38] Magnus BlÄudd
Pushed to 5.0.25
[9 Aug 2006 13:15] Jon Stephens
Documented bugfix in 5.0.25 changelog.

As this is shown to be an issue in 4.1 and up, please advise if and when this fix is made in 4.1 and/or 5.1. Thanks.
[14 Aug 2006 20:18] Konstantin Osipov
Merged into 5.1.12.
[15 Aug 2006 3:26] Paul Dubois
Noted in 5.1.12 changelog.