Bug #20854 XML functions: ExtractValue() allows invalid XML input
Submitted: 4 Jul 2006 20:44 Modified: 8 Oct 2006 5:40
Reporter: Dimitris Kounalakis Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: XML functions Severity:S3 (Non-critical)
Version:5.1.11 OS:Windows (winXP)
Assigned to: Alexander Barkov CPU Architecture:Any

[4 Jul 2006 20:44] Dimitris Kounalakis
See how to repeat:

How to repeat:
mysql> select ExtractValue("<zot><tim0><01>10:39:15</01><02>140</02></tim0></zot>","/zot/tim0/02");
| ExtractValue("<zot><tim0><01>10:39:15</01><02>140</02></tim0></zot>","/zot/tim0/02") |
| 2       |
1 row in set (0.00 sec)
[4 Jul 2006 23:04] Hartmut Holzgraefe
You're using invalid XML here as tag names can't start with a digit,
see http://www.w3.org/TR/REC-xml/ Section 2.3 "Common Syntactic Constructs"

   Names and Tokens

  [4] NameChar ::= Letter | Digit | '.' | '-' | '_' | ':' | CombiningChar | Extender
  [5] Name ::= (Letter | '_' | ':') (NameChar)*

I'd expect the function to either return an error message or a NULL result though, returning the numeric value of the invalid path component doesn't
seem to make any sense at all, so i'm verifying the bug report
[5 Jul 2006 12:55] Dimitris Kounalakis
There are two issues here:
1. The "XML field" has content with invalid tags
2. The second parameter of extractvalue has an invalide tag

Two possible issues for this bug's resolution:
1. Validate "XML field"'s content (this should be optionaly turned off on user's request for  performance)
2. check the second parameter of extractvalue for invalid tags
[14 Sep 2006 6:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:


ChangeSet@1.2313, 2006-09-14 11:47:19+05:00, bar@mysql.com +4 -0
  Bug#20854 XML functions: wrong result in ExtractValue
[26 Sep 2006 10:28] Ramil Kalimullin
Looks good, okay to push (see hf's suggestion).
[3 Oct 2006 20:16] Chad MILLER
Available in 5.1.12-beta.
[8 Oct 2006 5:40] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at


Updated description to reflect accurately the nature of the bug.

Documented fix in 5.1.12 changelog.