[MDEV-31810] Sec feature request: New strict SQL mode for SELECT statement Created: 2023-07-31  Updated: 2023-09-10  Resolved: 2023-09-10

Status: Closed
Project: MariaDB Server
Component/s: Configuration, Data types
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Takeshi Terada Assignee: Sergei Golubchik
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
duplicates MDEV-19362 New STRICT flags for sql_mode Open

 Description   

On MariaDB, strings can be equal to 0 (integer).

MariaDB [(none)]> select 'xyz'=0;
 
+---------+
 
| 'xyz'=0 |
 
+---------+
 
|       1 |
 
+---------+
 
1 row in set, 1 warning (0.000 sec)

This is contrary to most users' expectations in my opinion.
Postgres, Oracle, SQL Server, DB2, SQLite don't behave like this.

Security implication of this has been publicly discussed since 2013.

https://web.archive.org/web/20150216184354/http:/www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/
https://github.com/rails/rails/pull/16069
https://github.com/rails/rails/pull/42440

In data-changing statements, such bad string-to-number conversion triggers an error thanks to STRICT_TRANS_TABLES. My request is to add a new strict SQL mode that does the same for SELECT statements.

 Comments   
Comment by Sergei Golubchik [ 2023-09-10 ]

This is basically what MDEV-19362 suggests

Generated at Thu Feb 08 10:26:38 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.