[MDEV-27780] 'CHANGE MASTER' command (and many others) do not support bind parameters Created: 2022-02-08  Updated: 2023-02-23

Status: Open
Project: MariaDB Server
Component/s: Prepared Statements
Affects Version/s: 10.6.5
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Daniel Lenski Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: replication


 Description   

According to the documentation, the CHANGE MASTER TO statement is permitted within dynamically composed SQL statements (via PREPARE/EXECUTE and/or EXECUTE IMMEDIATE).

However, unlike other statements, the CHANGE MASTER TO statement does not support bind parameters. Evidence for this limitation on 10.6.5:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 15
 
Server version: 10.6.5-MariaDB managed by https://aws.amazon.com/rds/
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> EXECUTE IMMEDIATE "SELECT ? AS test1, ? AS test2" USING 1, "foobar";
 
+-------+--------+
 
| test1 | test2  |
 
+-------+--------+
 
|     1 | foobar |
 
+-------+--------+
 
1 row in set (0.000 sec)
 
 
 
MariaDB [(none)]> EXECUTE IMMEDIATE "CHANGE MASTER TO MASTER_HOST = ?, MASTER_PORT=?, MASTER_SSL=1" USING 'my.host.com', 1234;
 
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '?, MASTER_PORT=?, MASTER_SSL=1' at line 1
 
 
 
MariaDB [(none)]> EXECUTE IMMEDIATE "CHANGE MASTER TO MASTER_HOST = 'my.host.com', MASTER_PORT=1234, MASTER_SSL=1";
 
Query OK, 0 rows affected (0.007 sec)

Furthermore, CHANGE MASTER TO cannot be used in stored procedures except when wrapped in wrapping dynamic SQL. (Also, the "Stored Routine Limitations" docs don't mention it as an exception to permitted statements.)

Because of these limitations, the only way to execute CHANGE MASTER TO with variable parameters in stored procedures is to interpolate these variables’ values directly into a dynamically composed SQL string.

This means that there is a large attack surface for SQL injection if potentially-untrusted values are provided to CHANGE MASTER TO in this way.

Questions:

  1. Is it possible to accept bind parameters when executing CHANGE MASTER TO via dynamically-composed SQL?
  2. Is there any documentation for which commands do and don't currently accept bind parameters?
  3. Should the "Stored Routine Limitations" documents be updated to reflect CHANGE MASTER TO as a specific exception?

 Comments   
Comment by Daniel Lenski [ 2022-02-09 ]

I updated "Stored Routine Limitations" to reflect the fact that CHANGE MASTER TO isn't permitted. https://mariadb.com/kb/en/stored-routine-limitations/+r/112995/

Comment by Daniel Lenski [ 2022-11-02 ]

It appears this issue is also present in MySQL; I tested on v8.0.

Also undocumented there: https://dev.mysql.com/doc/refman/8.0/en/sql-prepared-statements.html#prepared-statements-permitted

Comment by Daniel Lenski [ 2023-02-22 ]

This would be a ripe opportunity for test-driven development.

Start fixing this by creating a test that tries using bind parameters for pretty much every variant of pretty much every known query type:

  • Bind parameters documented as working, and actually work? Known-good, no action needed,
  • Bind parameters not documented as working, but do actually work? Short-term/easy: Improve documentation
  • Bind parameters not documented as either working/not-working, but don't work, like in this case here? Make them work
  • Bind parameter documented as not working, and don't work? Longer-term: Can we reduce these cases?
Generated at Thu Feb 08 09:55:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.