Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6.5
-
None
Description
According to the documentation, the CHANGE MASTER TO statement is permitted within dynamically composed SQL statements (via PREPARE/EXECUTE and/or EXECUTE IMMEDIATE).
However, unlike other statements, the CHANGE MASTER TO statement does not support bind parameters. Evidence for this limitation on 10.6.5:
Welcome to the MariaDB monitor. Commands end with ; or \g. |
Your MariaDB connection id is 15 |
Server version: 10.6.5-MariaDB managed by https://aws.amazon.com/rds/ |
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. |
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
|
MariaDB [(none)]> EXECUTE IMMEDIATE "SELECT ? AS test1, ? AS test2" USING 1, "foobar"; |
+-------+--------+ |
| test1 | test2 |
|
+-------+--------+ |
| 1 | foobar |
|
+-------+--------+ |
1 row in set (0.000 sec) |
|
MariaDB [(none)]> EXECUTE IMMEDIATE "CHANGE MASTER TO MASTER_HOST = ?, MASTER_PORT=?, MASTER_SSL=1" USING 'my.host.com', 1234; |
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '?, MASTER_PORT=?, MASTER_SSL=1' at line 1 |
|
MariaDB [(none)]> EXECUTE IMMEDIATE "CHANGE MASTER TO MASTER_HOST = 'my.host.com', MASTER_PORT=1234, MASTER_SSL=1"; |
Query OK, 0 rows affected (0.007 sec) |
Furthermore, CHANGE MASTER TO cannot be used in stored procedures except when wrapped in wrapping dynamic SQL. (Also, the "Stored Routine Limitations" docs don't mention it as an exception to permitted statements.)
Because of these limitations, the only way to execute CHANGE MASTER TO with variable parameters in stored procedures is to interpolate these variables’ values directly into a dynamically composed SQL string.
This means that there is a large attack surface for SQL injection if potentially-untrusted values are provided to CHANGE MASTER TO in this way.
Questions:
- Is it possible to accept bind parameters when executing CHANGE MASTER TO via dynamically-composed SQL?
- Is there any documentation for which commands do and don't currently accept bind parameters?
- Should the "Stored Routine Limitations" documents be updated to reflect CHANGE MASTER TO as a specific exception?