Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27780

'CHANGE MASTER' command (and many others) do not support bind parameters

    XMLWordPrintable

Details

    Description

      According to the documentation, the CHANGE MASTER TO statement is permitted within dynamically composed SQL statements (via PREPARE/EXECUTE and/or EXECUTE IMMEDIATE).

      However, unlike other statements, the CHANGE MASTER TO statement does not support bind parameters. Evidence for this limitation on 10.6.5:

      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 15
      Server version: 10.6.5-MariaDB managed by https://aws.amazon.com/rds/
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> EXECUTE IMMEDIATE "SELECT ? AS test1, ? AS test2" USING 1, "foobar";
      +-------+--------+
      | test1 | test2  |
      +-------+--------+
      |     1 | foobar |
      +-------+--------+
      1 row in set (0.000 sec)
       
      MariaDB [(none)]> EXECUTE IMMEDIATE "CHANGE MASTER TO MASTER_HOST = ?, MASTER_PORT=?, MASTER_SSL=1" USING 'my.host.com', 1234;
      ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '?, MASTER_PORT=?, MASTER_SSL=1' at line 1
       
      MariaDB [(none)]> EXECUTE IMMEDIATE "CHANGE MASTER TO MASTER_HOST = 'my.host.com', MASTER_PORT=1234, MASTER_SSL=1";
      Query OK, 0 rows affected (0.007 sec)
      

      Furthermore, CHANGE MASTER TO cannot be used in stored procedures except when wrapped in wrapping dynamic SQL. (Also, the "Stored Routine Limitations" docs don't mention it as an exception to permitted statements.)

      Because of these limitations, the only way to execute CHANGE MASTER TO with variable parameters in stored procedures is to interpolate these variables’ values directly into a dynamically composed SQL string.

      This means that there is a large attack surface for SQL injection if potentially-untrusted values are provided to CHANGE MASTER TO in this way.

      Questions:

      1. Is it possible to accept bind parameters when executing CHANGE MASTER TO via dynamically-composed SQL?
      2. Is there any documentation for which commands do and don't currently accept bind parameters?
      3. Should the "Stored Routine Limitations" documents be updated to reflect CHANGE MASTER TO as a specific exception?

      Attachments

        Activity

          People

            Unassigned Unassigned
            dlenski Daniel Lenski (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.