Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multistatements and multi results #411

Merged
merged 10 commits into from
Jan 30, 2016
Merged

Multistatements and multi results #411

merged 10 commits into from
Jan 30, 2016

Conversation

julienschmidt
Copy link
Member

The daily PR:

  • Adds new DSN param to allow multiple statements in one query
  • Enables usage of stored procedures (even without multiStatements=true)

Fixes #66
Fixes #163
Fixes #325
Fixes #338
Fixes #339

lucalooz and others added 7 commits January 20, 2016 17:29
@lucalooz @julienschmidt
Enable Multi Results support and discard additional results
8cbeffa 
- packets.go: flag clientMultiResults, update status when receiving an
EOF packet, discard additional results on readRow when EOF is reached
- statement.go: currently a nil rows.mc is used as an eof, don’t set it
if there are no columns to avoid that Next() waits indefinitely
- rows.go: discard additional results on close and avoid panic on
Columns()
@lucalooz @julienschmidt
Add Idhor (Luca Looz) to AUTHORS for multi-results
5ce0b98
@badoet @julienschmidt
added the multiStatements param to the dsn parameter
1bdf5bd
@badoet @julienschmidt
add test for the new dsn param
71c5db6
@badoet @julienschmidt
TestMultiQuery
4aa920d 
discard additional OK response after Multi Statement Exec Calls
@julienschmidt
Fix driver tests
acb3ebd
@julienschmidt
check discardMoreResultsIfExists err
c1e44c4
@julienschmidt julienschmidt added this to the v1.3 milestone Jan 20, 2016
@julienschmidt julienschmidt mentioned this pull request Jan 20, 2016
Closed
arnehormann
arnehormann reviewed Jan 21, 2016
View reviewed changes
README.md
Default: false
```

Allow multiple statements in one query. While this allows batch queries, it also greatly increases the risk of SQL injections.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add something like "results are returned for the first query only, others are silently discarded".

@julienschmidt
Copy link
Member Author

PTAL

@arnehormann
Copy link
Member

I'd like some tests and/or documentation for what happens if you run

  • db.Query("UPDATE ...; SELECT ...")
  • db.Exec("SELECT ...; UPDATE ...")

And I'd prefer discardResults or at least discardOtherResults (as in "all results not already read") to discardMoreResultsIfExists.
LGTM otherwise.
Good job 👍, sorry for slow reviews...

julienschmidt added a commit that referenced this pull request Jan 30, 2016
@julienschmidt
Merge pull request #411 from go-sql-driver/multistmt
b4db83c 
Multistatements and multi results
@julienschmidt julienschmidt merged commit b4db83c into master Jan 30, 2016
@julienschmidt julienschmidt deleted the multistmt branch January 30, 2016 00:03
@wuranbo
Copy link

wuranbo commented Feb 27, 2016

@julienschmidt thanks so much. Love you superman!

@badoet badoet mentioned this pull request Jul 27, 2016
Closed
@smurfpandey smurfpandey mentioned this pull request Aug 3, 2016
Closed
@clue clue mentioned this pull request Jun 15, 2018
Merged
@babygoat babygoat mentioned this pull request Dec 1, 2018
Closed
@arp242 arp242 mentioned this pull request Apr 22, 2021
Closed
5 tasks
arp242 added a commit to arp242/mysql that referenced this pull request May 16, 2023
@arp242
Remove SQL injection warning for multiStatement in README
b943695 
I can't really find any reference to the risk of SQL injections. This
sets the clientMultiStatements flag (or CLIENT_MULTI_STATEMENTS in the C
API).

This comment was added in go-sql-driver#411, but without much explanation, and I
can't find anything in e.g. go-sql-driver#66 or other issues either.

The documentation for MySQL[1] or MariaDB[2] doesn't warn for SQL
injections, and after some internet searching the only reference I found
was in the PHP Docs[3]:

	The API functions mysqli::query() and mysqli::real_query() do
	not set a connection flag necessary for activating multi queries
	in the server. An extra API call is used for multiple statements
	to reduce the damage of accidental SQL injection attacks. An
	attacker may try to add statements such as ; DROP DATABASE mysql
	or ; SELECT SLEEP(999).

So I assume this is what this comment refers to.

This removes the comment, as discussed in go-sql-driver#1206.

[1]: https://dev.mysql.com/doc/c-api/8.0/en/c-api-multiple-queries.html
[2]: https://mariadb.com/kb/en/mysql_real_connect/
[3]: https://www.php.net/manual/de/mysqli.quickstart.multiple-statement.php
@arp242 arp242 mentioned this pull request May 16, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
v1.3
Development

Successfully merging this pull request may close these issues.
5 participants
@julienschmidt @arnehormann @wuranbo @lucalooz @badoet