MySQL Forums
Forum List  »  Stored Procedures

Advanced Search
New Topic

Re: no more PREPARE and EXECUTE statement in stored procedure
Posted by: Pilon Mntry
Date: January 26, 2006 06:57AM

:)
This is funny. I was trying to write a vulnerable stored procedure in mysql (as in mssql) and thought it's not possible to write one ... until I read these messages.
In mssql a vulnerable sp might look like:
CREATE PROCEDURE dbo.StoredProcedure1(@username nchar(10))
AS
declare @myquery nchar(128)
select @myquery = 'select * from sessionlog where username = ''' + @username + ''''
exec @myquery
RETURN

and now I've learned in mysql same sp can look alike with a few changes

PREPARE stm_str_sql FROM @str_sql;
EXECUTE stm_str_sql;

But sure, this is avery beneficial feature when used securely.

Navigate: Previous MessageNext Message
Options: ReplyQuote


Subject
Views
Written By
Posted
no more PREPARE and EXECUTE statement in stored procedure
8846
Stéphane De Blois
July 18, 2005 02:45PM
Re: no more PREPARE and EXECUTE statement in stored procedure
3165
Markus Popp
July 18, 2005 05:48PM
Re: no more PREPARE and EXECUTE statement in stored procedure
2825
Stéphane De Blois
July 19, 2005 06:06AM
Re: no more PREPARE and EXECUTE statement in stored procedure
2876
Markus Popp
September 15, 2005 01:31PM
Re: no more PREPARE and EXECUTE statement in stored procedure
2857
Pilon Mntry
January 26, 2006 06:57AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.