Bug #28779 mysql_query() allows execution of statements with unbalanced comments
Submitted: 30 May 2007 15:47 Modified: 29 Oct 2007 19:28
Reporter: Mark Leith Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Parser Severity:S3 (Non-critical)
Version:5.0.42 OS:Any
Assigned to: Marc Alff
Tags: bfsm_2007_06_21

[30 May 2007 15:47] Mark Leith
Description:
mysql_query() / mysql_real_query() allow statements to be executed that include poorly balanced comments and quotes, such as:

DELETE FROM t1 WHERE i = 7 OR 1=1/*' AND j = 'bar'

Note that /*' is not properly closed (or, the ' is closed and re-opened and never closed again).

How to repeat:
A quick and dirty testcase will be attached
[30 May 2007 15:48] Mark Leith
testcase

Attachment: bug28779.c (text/plain), 2.75 KiB.

[30 May 2007 15:53] Sinisa Milivojevic
another test code

Attachment: mark.c (application/octet-stream, text), 3.29 KiB.

[6 Jun 2007 19:31] Philip Stoev
Here is a way to reproduce such bugs via the mysql client, (courtesy of Valeriy Kravchuk):

mysql> prepare bar from "DELETE FROM t1 WHERE i = 7 OR 1=1/*' AND j = 'bar';";
ERROR 1146 (42S02): Table 'test.t1' doesn't exist
[31 Jul 2007 19:37] Marc Alff
See related bug#26302, which has important implications :

Because of Bug#26302, some stored functions / procedures / triggers,
and in 5.1 events can have been stored with a chopped comment.
[31 Jul 2007 23:34] Marc Alff
Can not be fixed before bug#30164 is fixed.
[3 Aug 2007 16:55] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/32077

ChangeSet@1.2487, 2007-08-03 10:54:13-06:00, malff@weblab.(none) +3 -0
  Bug#28779 (msyql_query() allows execution of statements with unbalanced
  comments and quotes)
  
  INTERMEDIATE PATCH ONLY -- NOT READY FOR PRODUCTION
  
  This patch can not be merged as is before Bug 30164 is fixed.
  This is an intermediate patch only, for pre review.
[29 Aug 2007 14:08] Konstantin Osipov
Approved by email.
[29 Aug 2007 20:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/33400

ChangeSet@1.2506, 2007-08-29 14:50:32-06:00, malff@weblab.(none) +3 -0
  Bug#28779 (mysql_query() allows execution of statements with unbalanced
  comments)
  
  Before this fix, the server would accept queries that contained comments,
  even when the comments were not properly closed with a '*' '/' marker.
  
  For example,
    select 1 /* + 2 <EOF>
  would be accepted as
    select 1 /* + 2 */ <EOF>
  and executed as
    select 1
  
  With this fix, the server now rejects queries with unclosed comments
  as syntax errors.
  Both regular comments ('/' '*') and special comments ('/' '*' '!') must be
  closed with '*' '/' to be parsed correctly.
[30 Aug 2007 18:59] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/33468

ChangeSet@1.2589, 2007-08-30 12:57:05-06:00, malff@weblab.(none) +3 -0
  Bug#28779 (mysql_query() allows execution of statements with unbalanced
  comments)
  
  This change set is for 5.1 (manually merged)
  
  Before this fix, the server would accept queries that contained comments,
  even when the comments were not properly closed with a '*' '/' marker.
  
  For example,
    select 1 /* + 2 <EOF>
  would be accepted as
    select 1 /* + 2 */ <EOF>
  and executed as
    select 1
  
  With this fix, the server now rejects queries with unclosed comments
  as syntax errors.
  Both regular comments ('/' '*') and special comments ('/' '*' '!') must be
  closed with '*' '/' to be parsed correctly.
[7 Sep 2007 8:08] Bugs System
Pushed into 5.1.23-beta
[7 Sep 2007 8:10] Bugs System
Pushed into 5.0.50
[7 Sep 2007 9:01] Marc Alff
Setting to Need doc info,
there are implications with upgrade that need to be detailed.
[29 Oct 2007 19:28] Paul Dubois
Noted in 5.0.50, 5.1.23 changelogs.

The parser accepted statements that contained /* ... */ that were not
properly closed with */, such as SELECT 1 /* + 2. Statements that
contain unclosed /*-comments now are rejected with a syntax error.

This fix has the potential to cause incompatibilities. Because of Bug
#26302, which caused the trailing */ to be truncated from comments in
views, stored routines, triggers, and events, it is possible that
objects of those types may have been stored with definitions that now
will be rejected as syntactically invalid. Such objects should be
dropped and re-created so that their definitions do not contain
truncated comments.

I also added notes to the 5.0 and 5.1 "upgrading" sections.