Hi Brian, all,

On 11/10/2008, at 10:15 AM, Brian Aker wrote:
Its been possible to do the following via the protocol:

select 1; select 1;

And send them in the same packet. What is the problem?

SQL injection.

It makes it really simple for someone to pack in a new SQL statement by accident.

I am thinking we should header the protocol so that each statement is in its own envelope. You can still send multiple SQL statements in the same packet, but not via a simple delimiter.

And while we are at it remove the delimiter command and make sure all of its logic is in the client, not the server.


Sounds about right.

Let the client tag the envelope that comes back with the result, so there's never confusion over which query a result belongs to - although that problem currently doesn't exist in Drizzle (it's merely about MySQL stored procs doing SELECT ... without INTO) but just in case there's future situations where it does become relevant, might as well get the design correct now.

And, while we're at it, a flag indicating whether the client expects the queries to be executed in series (such as within a single transaction, and/or otherwise sequence-dependent) or whether they could (at the server's choice) be parallelised.

Making sense?


(taking notes, Eric? ;-)

Cheers,
Arjen.
--
Arjen Lentz, Director @ Open Query
Training and Expertise for MySQL in Australia and New Zealand
http://openquery.com.au/  (ph. +61-7-3103 0809)


_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to