MySQL 4.1 Prepared Statements stopped working for Java/J2EE apps (Regression from Hoary)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-dfsg-4.1 (Ubuntu) |
New
|
Medium
|
MOTU |
Bug Description
As requested in http://
I have found what I believe to be a major regression from Hoary. In short:
SELECT * FROM mytable WHERE id=1
returns 1 row, as expected. However,
SELECT * FROM mytable WHERE id=?
and setting parameter 1 to 1 ("ps.setInt(1, 1);") does not return any rows. This
should not happen, am I right?
I created the table with:
CREATE TABLE mytable ( id INT PRIMARY KEY, class VARCHAR(32) )
INSERT INTO mytable ( id, class ) VALUES ( 1, 'hallo' )
INSERT INTO mytable ( id, class ) VALUES ( 2, 'hugo' )
I am issuing the statements using Connector/J 3.1.11. I have switched on
autoGenerateTes
/* conn id 0 */ SET NAMES latin1;
/* conn id 0 */ SET character_
/* conn id 0 */ SHOW VARIABLES;
/* conn id 0 */ SHOW COLLATION;
/* conn id 0 */ SET autocommit=1;
/* conn id 0 */ PREPARE debug_stmt_3 FROM "SELECT * FROM mytable WHERE id=?";
/* conn id 0 */ SET @debug_
/* conn id 0 */ EXECUTE debug_stmt_3 USING @debug_
/* conn id 0 */ DEALLOCATE PREPARE debug_stmt_3;
If I enter these commands into "mysql", it returns one row as expected.
I tried repairing the table, both with "REPAIR TABLE" and with myisamchk. The
table was ok, and the problem persisted.
The problem is independant of the JDK version, I've tried SUN JDK 1.5.0_04,
1.5.0_05 and 1.4.2_08. I also tried gij 4.0.1 (which comes with Ubuntu Breezy).
The problem seems to be independant of the Connecter/J version, too. I tried
3.1.9 and 3.1.11.
The problem persists if I create a completely new database (in fact I created a
new /var/lib/mysql, so there were no other databases around).
The problem does _not_ happen on MySQL 4.0.24 or MySQL 4.1.10a (Hoary).
Downgrading is the only workaround I found.
I consider this major, as every application now should use PreparedStatements
(certainly all apps using Hibernate do), because of security reasons (SQL
injection).
description: | updated |
Changed in mysql-dfsg-4.1: | |
assignee: | nobody → motu |
I've experienced the same, and tracked it down to the databinding of values in server-side prepared statements on 4.1.x of mysql server (although apparently only the debian package for 4.1.12 seems to be affected)
2 possible stop-gaps: tmts=false to the jdbc url
- use connector/j 3.0.x in stead (it doesn't exploit the server side prepared statements yet)
- disable the use of server-side prepared statements by adding the ?useServerPrepS
NOTE: in this case the jdbc driver DOES support prepared statements, but emulates them at the client side. (so you shouldn't be worried for sql injection attacks)
Nevertheless I don't consider these as workarounds since disabling server-side prepared statements might have a mayor impact on performance of your app. (just check) It's really just a stop-gap.
I also took the trouble of mentioning over in the mysql-jdbc forum and was told this is probably related to gcc/glibc bug in the debian distro
more 2 read over there: forums. mysql.com/ read.php? 39,49989, 49989#msg- 49989
http://