MySQL Bugs: #48511: Possible SQL injection in MYSQL v5.1.40

Bug #48511	Possible SQL injection in MYSQL v5.1.40 - community server
Submitted:	3 Nov 2009 18:16	Modified:	3 Nov 2009 18:55
Reporter:	sdfsdf sdfsdfsd	Email Updates:
Status:	Not a Bug	Impact on me:	None
Category:	MySQL Server: Stored Routines	Severity:	S2 (Serious)
Version:	5.0.88, 5.1.40, 5.1.41-bzr	OS:	Any (XP Profession SP2 English)
Assigned to:	Marc ALFF	CPU Architecture:	Any
Tags:	5.1.40, sql injection, stored procedure

Description:
I have created the following procedure: 

BEGIN 
DECLARE EXIT HANDLER FOR SQLEXCEPTION 
BEGIN 
ROLLBACK; 
END; 
SELECT logid FROM ADMINLOG WHERE LOGID=INLOG; 
END 

This procedure has only one argument, as an input argument: 
IN INLOG smallint 

Now, I call the procedure like this: 
call aaa(3;delete from adminlog;); 

And I get the following response from the server: 

ERROR 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 
Query OK, 0 rows affected 
ERROR 1064 : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1 

As you can see from string output "Query OK, 0 rows affected", although the sql server detected an error, the query has been successfuly executed.If the table had entries, then all the entries would have been deleted.There is no way for the procedure to check the contents of this variable, since this error happens before mysql service gives execution to the code inside the procedure, thus preventing writing code inside the procedure that will detect the invalid characters in INLOG variable. 

How to repeat:
Create the following procedure (1 input variable only, "IN INLOG smallint" ) :

BEGIN 
DECLARE EXIT HANDLER FOR SQLEXCEPTION 
BEGIN 
ROLLBACK; 
END; 
SELECT logid FROM ADMINLOG WHERE LOGID=INLOG; 
END 

Create a table named ADMINLOG with one column named LOGID smallint type.
You can insert some values to the table.

Run the procedure from command prompt like this:
call aaa(3;delete from adminlog;); 

The delete statement is being executed.

Suggested fix:
No suggestions.

This is not a bug.

Because the delimiter is ';', the following client request:

call aaa(3;delete from adminlog;); 

is a multi statement request that consist of 3 independent statements:
call aaa(3; 
delete from adminlog;
); 

The first statement is broken and causes the first syntax error.
The second statement is valid and is executed
The third statement is broken and causes the second syntax error.

The server works as expected.