Stored Routines: Tips, Tricks, and Solutions

Stored Routines Tips, Tricks and SolutionsAlex NozdrinSoftware Developer, Server team [email protected]

George TrujilloSenior Instructor [email protected] 2007 MySQL AB The Worlds Most Popular Open Source Database 1

Agenda Stored Objects Overview Stored Procedures vs Stored Functions Features of triggers User and stored routine variables SQL SECURITY INVOKER / DEFINER When and why?

5 min

Technical DetailsCREATE-time context Storing stored objects Current limitations Non-documented features

10 min

Dynamic SQL SQL Injections Dealing with PS limitations

10 min 25 minThe Worlds Most Popular Open Source Database 2

Real-life ExamplesCopyright 2007 MySQL AB

Stored Objects Overview Stored Objects Overview Stored Procedures vs Stored Functions Features of triggers User and stored routine variables SQL SECURITY INVOKER / DEFINER When and why?

Technical Details Dynamic SQL DBA Examples Q&A

Copyright 2007 MySQL AB

The Worlds Most Popular Open Source Database

3

Stored Objects OverviewDefinition

Stored Objects Stored Routines Stored Procedures Stored Functions

Triggers Events*



4

Stored Objects OverviewStored Procedures vs Stored FunctionsStored Procedures Return or Generate[MySQL extension]

Stored Functions a single value

result set(s)

> CALL sp1(); +---------------+ | Hello, world! | +---------------+ | Hello, world! | +---------------+ 1 row in set (0.01 sec) +----------------------+ | Again: Hello, world! | +----------------------+ | Again: Hello, world! | +----------------------+ 1 row in set (0.02 sec)

> SELECT sf1(); +------+ | sf1() | +------+ | 1 | +------+ 1 row in set (0.00 sec)

How to invoke

CALLCALL sp1('Hello, world')

within an expressionSELECT sf(c1), c2 FROM t1

Parameters Prepared statements

IN; OUT; INOUT yes

IN-only no



5

Stored Objects Overview Triggers Activation Time: BEFORE, AFTER Events: INSERT, UPDATE, DELETE Special variables: NEW, OLD FOR EACH ROW only One trigger / table for {activation time, event} No result set No CALL, which leads to generating result set Use OUT-parameters to pass data from stored procedures

Can not begin or end transactions Explicitly or implicitly No DDL

No temporary tables or views No prepared statementsCopyright 2007 MySQL AB The Worlds Most Popular Open Source Database 6

Stored Objects OverviewUser and Stored Routine VariablesScope Declaration Type system Examples

User session NO Weakly-typedSET @a = 1; SET @b = '2'; SELECT @a + @b; --> 3 SELECT CONCAT(@a, @b); --> 12

Stored routine execution Mandatory Strongly-typedDECLARE a INT DEFAULT 1; DECLARE b CHAR(10) DEFAULT '2'; DECLARE c INT; SET c = a + b; --> 3 SET c = CONCAT(a, b); --> 12, warning

User variable an item in expression Store routine variable a column in a temporary table



7

Stored Objects OverviewSQL SECURITY: Definition

sql security DEFINER SUID object Executes under the definer the user who created the object

sql security INVOKER DEFINER clauseDEFINER = username@hostname

Requires SUPER privilege Specifies the user which privileges will be used when executing the object



8

Stored Objects OverviewSQL SECURITY: Example



9

Stored Objects OverviewStored Routines: Why?

1. Security

No need to grant privileges on the tables Code security application developer can not easily modify SQL code Cached on the server Can be designed to reduce network traffic No copy & paste Separation of interface and implementation Implementation can change No need to change clients during upgrade

2. Performance

3. Consistency

4. Maintenance



10

Stored Objects OverviewTriggers: Why?

1. Log 2. Audit 3. Change data of an operation (INSERT, UPDATE) 4. Prevent some operationsCREATE PROCEDURE throw_error() ROLLBACK; -- Any stmt causing COMMIT or ROLLBACK CREATE TABLE t1(c INT) ENGINE=InnoDB; CREATE TRIGGER t1_bi BEFORE INSERT ON t1 FOR EACH ROW BEGIN IF NEW.c = 2 THEN CALL throw_error(); END IF;Copyright 2007 MySQL AB END The Worlds Most Popular Open Source Database 11

Stored Objects OverviewWhat is BAD?

Processing close to data scale-up MySQL's way scale-out Current limitations



12

Technical Details Stored Objects Technical Details CREATE-time context Storing stored objects SHOW CREATE and INFORMATION_SCHEMA Current limitations SHOW CODE SHOW PROFILE

Dynamic SQL Real-life Examples Q&A



13

Technical DetailsCREATE-time context: Execution Overview



14

Technical DetailsCREATE-time context

CREATE-time Context a list of attributes that are fixed at CREATE time sql_mode The main switch of MySQL behavior.

character_set_client Defines character set of the CREATE-statement.

collation_connection Defines character set / collation rules for the execution.

collation_database Owner database collation

current database time_zone (events)



15

Technical Details Storing stored objects Stored routines mysql.proc table Triggers TRG, TRN files mysql a system database Stored objects are stored in the original form Original character set Character set introducers untouched ...CREATE PROCEDURE p1() SELECT 'text1', _cp1257 'text2';



16

Technical DetailsSHOW CREATE vs INFORMATION_SCHEMA SHOW CREATE Returns original query in the original character set Query can be binary (consists of several charsets)CREATE PROCEDURE p1() SELECT 'text1', _cp1257 'text2';

INFORMATION_SCHEMA Returns normalized query in UTF8 Normalized == no character set introducersCREATE PROCEDURE p1() SELECT 'text1-in-utf8', 'text2-in-utf8';

Confused? Use SHOW CREATE for Dump / backup mysqldump uses SHOW CREATECopyright 2007 MySQL AB

Use INFORMATION_SCHEMA for


17

Technical DetailsLimitations

Common Prepared Statements Stored Routines



18

Technical DetailsLimitations: Common

Meta-data is fixed at the compilation time i.e. Don't change meta-data on the fly i.e. NO ALTER

BAD Examples: Prepare stmt & ALTER meta-data Execute a SR & ALTER meta-data Create a trigger & ALTER meta-data

Why? The server does not track dependencies on the objects in cache (compiled objects)



19

Technical DetailsLimitations: Prepared Statements

No support for OUT-parameters No query plan cache No arrays Placeholders are not supported everywhere Table names Column names Dynamic search condition



20

Technical DetailsLimitations: Stored Routines

Cache Per connection No limit Almost any DDL flushes all caches

No COLLATE for stored routine variable No SIGNAL / RESIGNAL SR-variable shadows column Prepared statements PREPARE uses only user variables (no SR vars) EXECUTE uses only user variables (no SR vars, no constants)



21

Technical DetailsNon-documented features SHOW PROCEDURE | FUNCTION CODE SHOW PROFILE (5.0, Community patch)CREATE PROCEDURE p1(x INT) BEGIN IF x < 0 THEN INSERT INTO TError VALUES (CONCAT('Negative value: ', x)); ELSEIF x > 100 THEN INSERT INTO TError VALUES (CONCAT('Too large value: ', x)); ELSE INSERT INTO Tvalues VALUES (x); END IF; END

SHOW PROCEDURE CODE| Pos | Instruction |

p1;

+-----+---------------------------------------------------+ | | (CONCAT('..." | The Worlds Most Popular Open Source Database22

0 | jump_if_not 3(7) (x@0 < 0) "INSERT INTO TError VALUES

| 1 MySQL AB Copyright 2007| stmt 5

Dynamic SQL Stored Objects Technical Details Dynamic SQL SQL Injections Dealing with PS limitations Dynamic table / column names Dynamic WHERE Arrays

Real-life Examples Q&A



23

Dynamic SQLKinds of Dynamic SQL

Dynamic queries Pros Good for prototyping Universal approach The only way to do some things

Prepared statements Pros A query is parsed only once No SQL injections

Cons Extra job if query is executed only once Not all SQL statements supported Arrays are not supported Placeholders can not be used everywhere

Cons Cluttering the client code, copy & paste Query has to be parsed each time SQL Injections

HINT: close PS after use



24

Dynamic SQLSQL Injections (1)

Dynamic querymy $name = ...; # read from HTML form my $s = SELECT id FROM t1 WHERE name = '$name'; mysql_query($mysql, $s);

Arbitrary SQL query can be executed$name: '; DELETE FROM t1 WHERE 'a' = 'a $s: SELECT id FROM t1 WHERE name = ''; DELETE FROM t1 WHERE 'a' = 'a';

SQL query can be compromisedCopyright 2007 MySQL AB

$name: ' OR 'a' = 'a


25


Prepared statements Stored procedures just for convenience hereCREATE PROCEDURE check_user(name VARCHAR(255)) PREPARE stmt FROM 'SELECT id FROM t1 WHERE name = ?'; EXECUTE stmt USING name; CALL check_user("valid_user_name"); --> id --> 1 CALL check_user("'; DELETE * FROM t1 WHERE 'a' = 'a"); --> Nothing CALL check_user("' OR 'a' = 'a");Copyright 2007 MySQL AB

--> Nothing


26


C API (other instruments): mysql_real_escape_string() Quotes CR / LF NUL Slash / backslash

mysql_real_query() One query at a time



27

Dynamic SQLDynamic Table / Column names

Avoid that Tables are types Columns are attributes

Workaround Use prepared statement to pass parameters Check column or table names



28

Dynamic SQLDynamic table name: Examplecreate function check_table_name(table_name char(10)) returns bool return strcmp(lcase(table_name), 't1') = 0 or strcmp(lcase(table_name), 't2') = 0; create function check_table_name(table_name char(10)) returns bool return instr(table_name, "'") = 0 and ... instr(table_name, '(') = 0; create procedure p1(table_name char(10), value char(255)) l1: begin if check_table_name(table_name) != 1 then leave l1; end if; SET @s = CONCAT('SELECT name FROM ', table_name, ' WHERE Worlds Most Popular Open Source Database id = ?'); The


29

Dynamic SQLDynamic WHERE

SELECT * FROM table_name WHERE ? Must not be used in a general case Can be replaced by a static SQL in common cases



30

Dynamic SQLDynamic WHERE: ExampleCREATE TABLE t1(c1 INT, c2 INT, c3 TEXT); INSERT INTO t1 VALUES (1, 1, 'hello'), (1, 2, 'world'), (2, 1, 'foo'); CREATE PROCEDURE p1(v1 INT, v2 INT, v3 VARCHAR(255)) BEGIN SELECT c1, c2, c3 FROM t1 WHERE (v1 IS NULL OR c1 = v1) AND (v2 IS NULL OR c2 = v2) AND (v3 IS NULL OR STRCMP(c3, v3) = 0); ENDCopyright 2007 MySQL AB The Worlds Most Popular Open Source Database 31

Dynamic SQLArrays

The problemSELECT * FROM table WHERE id IN (?)

Solution CSV-list: 123; 456.789;10;hello world; Proper escaping (delimiters) Extra spaces Malicious (illegal) input Empty items Slow Legacy or imported data

another list item

Fixed-width list: red blue green whiteorange (6 symbols) More memory Not always possible Usually faster than CSV-list

Temporary table Probably, the bestCopyright 2007 MySQL AB The Worlds Most Popular Open Source Database 32

Dynamic SQLMySQL Forge

http://forge.mysql.com Split a Delimited String in SQL MySQL General Purpose Stored Routines Library Arrays and basic data structures "FOR EACH" loops Named parameters Syntax helpers



33

Real-life ExamplesSenior Instructor [email protected]



34

Questions ?



35

Thanks!

[email protected] [email protected]



36

Stored Routines: Tips, Tricks, and Solutions

Documents

Transcript of Stored Routines: Tips, Tricks, and Solutions