Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31810

Sec feature request: New strict SQL mode for SELECT statement

    XMLWordPrintable

Details

    Description

      On MariaDB, strings can be equal to 0 (integer).

      MariaDB [(none)]> select 'xyz'=0;
      		 
      +---------+
      		 
      | 'xyz'=0 |
      		 
      +---------+
      		 
      |       1 |
      		 
      +---------+
      		 
      1 row in set, 1 warning (0.000 sec)

      This is contrary to most users' expectations in my opinion.
      Postgres, Oracle, SQL Server, DB2, SQLite don't behave like this.

      Security implication of this has been publicly discussed since 2013.

      https://web.archive.org/web/20150216184354/http:/www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/
      https://github.com/rails/rails/pull/16069
      https://github.com/rails/rails/pull/42440

      In data-changing statements, such bad string-to-number conversion triggers an error thanks to STRICT_TRANS_TABLES. My request is to add a new strict SQL mode that does the same for SELECT statements.

      Attachments

        Issue Links

          duplicates

          Task - A task that needs to be done. MDEV-19362 New STRICT flags for sql_mode

          • Major - Major loss of function.
          • Open

          Activity

            People

              serg Sergei Golubchik
              tterada Takeshi Terada
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.