Description:
When running adhoc random queries I noticed the c/net is trying to call stored procedures when I didn't ask it to.
I'd think a connector should *never* modify the sql a user sends. Especially since I am explicitly setting "cmd.CommandType = CommandType.Text;"
How to repeat:
In a c/net app and in mysql client, try run these perfectly valid queries (that have no spaces!):
do(1);
select`user`from`mysql`.`user`;
select(left('test',1));
With --general-log=1 --loose-log-raw on server, we see c/net runs it as this!!
3 Query call do(1)
3 Query call select`user`from`mysql`.`user`
3 Query call select(left('test',1))
Suggested fix:
This code responsible for the flaw:
private static List<string> SingleWordKeywords = new List<string>(new string[] { "COMMIT", "ROLLBACK", "USE", "BEGIN", "END" });
...
// validates single word statetment (maybe is a stored procedure call)
if (sql.IndexOf(" ") == -1 && !SingleWordKeywords.Contains(sql.ToUpper()))
{
sql = "call " + sql;
}
Description: When running adhoc random queries I noticed the c/net is trying to call stored procedures when I didn't ask it to. I'd think a connector should *never* modify the sql a user sends. Especially since I am explicitly setting "cmd.CommandType = CommandType.Text;" How to repeat: In a c/net app and in mysql client, try run these perfectly valid queries (that have no spaces!): do(1); select`user`from`mysql`.`user`; select(left('test',1)); With --general-log=1 --loose-log-raw on server, we see c/net runs it as this!! 3 Query call do(1) 3 Query call select`user`from`mysql`.`user` 3 Query call select(left('test',1)) Suggested fix: This code responsible for the flaw: private static List<string> SingleWordKeywords = new List<string>(new string[] { "COMMIT", "ROLLBACK", "USE", "BEGIN", "END" }); ... // validates single word statetment (maybe is a stored procedure call) if (sql.IndexOf(" ") == -1 && !SingleWordKeywords.Contains(sql.ToUpper())) { sql = "call " + sql; }