Bug #30915 | on duplicate key update: needs update privileges for primary key | ||
---|---|---|---|
Submitted: | 8 Sep 2007 14:33 | Modified: | 8 Jan 2008 20:32 |
Reporter: | Richard Smith | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Documentation | Severity: | S3 (Non-critical) |
Version: | 5.0.41 | OS: | FreeBSD (6.2) |
Assigned to: | Paul DuBois | CPU Architecture: | Any |
[8 Sep 2007 14:33]
Richard Smith
[11 Sep 2007 12:38]
MySQL Verification Team
Thank you for the bug report. Verified as described.
[12 Oct 2007 14:35]
Konstantin Osipov
This needs to be documented: ON DUPLICATE KEY UPDATE converts an INSERT statement to an UPDATE statement upon a primary key conflict. An update statement in such case requires a privilege. A normal UPDATE would require this privilege, even though the data is not changed: mysql> insert into test values (1,1); Query OK, 1 row affected (0.00 sec) mysql> update test set x=1, y=2; ERROR 1143 (42000): UPDATE command denied to user 'test'@'localhost' for column 'x' in table 'test' mysql> select * from test; +---+------+ | x | y | +---+------+ | 1 | 1 | +---+------+ 1 row in set (0.00 sec)
[12 Oct 2007 16:01]
Richard Smith
That's fine if the table has one row. If the table has more than one row you get: mysql> update test set x = 1, y = 2; ERROR 1062 (23000): Duplicate entry '1' for key 1 Surely the INSERT must be converted to an UPDATE of the form: update test set y = 2 where x = 1; Which clearly does not need column privileges on the primary key.
[8 Jan 2008 20:32]
Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.
[18 Apr 2013 16:35]
Brandon Bell
Not sure how this ticket can be marked as closed. The documentation doesn't seem to have ever been updated to specifically address this reported bug. Also, updating the documentation doesn't address the underlying compromise to data security if we're forced to provide UPDATE access to the entire table instead of being able to define more finely grained UPDATE access to just specific columns when this SQL syntax is used.