Bug #3567 It is possible to create a Prepared Statement with several SQL statements
Submitted: 26 Apr 2004 13:04 Modified: 27 Apr 2004 14:44
Reporter: Sergey Petrunya Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.1-bk OS:
Assigned to: Sergey Petrunya CPU Architecture:Any

[26 Apr 2004 13:04] Sergey Petrunya 
Description:
It is possible to create a Prepared Statement with several SQL statements inside, like "select * from t1; select * from t2"  if CLIENT_MULTI_STATEMENTS connection option is set. 

For a Prepared Statement "sql_stmt1; sql_stmt2; ..."  only sql_stmt1 is executed. 

How to repeat:
insert the following into tests/client_test.c: 

static void test_prepare_multi_statement()
{
  int  rc;
  uint count;
  MYSQL *mysql_local;
  MYSQL_STMT *stmt;
  myheader("test_prepare_multi_statement");

  if (!(mysql_local = mysql_init(NULL)))
  { 
    fprintf(stdout,"\n mysql_init() failed");
    exit(1);
  }

  if (!(mysql_real_connect(mysql_local,opt_host,opt_user,
			   opt_password, current_db, opt_port,
			   opt_unix_socket, CLIENT_MULTI_STATEMENTS)))
  {
    fprintf(stdout,"\n connection failed(%s)", mysql_error(mysql_local));
    exit(1);
  }

  rc= mysql_query(mysql_local,"drop table if exists test_column");
  myquery(rc);
  rc = mysql_query(mysql_local, "create table test_column(c1 int primary key auto_increment, c2 char(10))");
  myquery(rc);
  rc = mysql_query(mysql_local, "insert into test_column(c2) values('a'),('b')");
  myquery(rc);
  strmov(query,  "select * from test_column limit 1; create table test.tbl2 ( a int); select * from test_column order by c2 desc;");
  stmt = mysql_simple_prepare(mysql_local,query);
  mystmt_init(stmt);
  verify_param_count(stmt, 0);  
  
  rc = mysql_execute(stmt);
  mystmt(stmt,rc);

  count= my_process_stmt_result(stmt);
  printf ("Got %d rows\n", count);
  mysql_close(mysql_local);

  exit(0);
  return;
}

Run tests/client_test 
 It will print "Got 1 rows" (first query executed)
 and will not create table test.tbl2

Suggested fix:
According to Konstantin, the fix is to disallow multiple SQL statements inside of a Prepared Statement for 4.1 version.
[26 Apr 2004 16:41] Sergey Petrunya 
ChangeSet@1.1824, 2004-04-27 03:44:41+04:00, sergefp@mysql.com
  Fix for BUG#3567: Disallow several SQL statements inside a Prepared Statement.
[27 Apr 2004 14:44] Sergey Petrunya 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html