I have a database to which several real users have access using JDBC. The separation of these users is very crucial, such that they are neither able see nor manipulate each other's data.
To separate the users' data, I decided to create the few corresponding tables for every user, and only give the owning user the permissions on this table. This is all done automatically in a stored procedure.
Besides this table separation, I want a user only to execute stored procedures to work with his tables, not arbitrary SQL queries.
Let's consider an example procedure like
DELIMITER //
CREATE PROCEDURE MyProcedure(IN p_identifier VARCHAR(30), IN p_key INT(10))
BEGIN
SET #p_identifier = p_identifier;
SET #p_key = p_key;
SET #s = CONCAT('DELETE FROM ', p_identifier, '_mytable WHERE key =?;');
PREPARE stmt FROM #s;
EXECUTE stmt USING #p_key,
DEALLOCATE PREPARE stmt;
END //
DELIMITER ;
And use it like CALL MyProcedure('ad3e981b', 2);.
So far, so good.
Problems arise since this procedure is used by all users (the first paraeter is the table-prefix). This is bad, because once a user gets execution privileges for MyProcedure, he is able to to provide any table-prefix at will and mess with other user's data - so my user separation is gone. This is the problem I need to solve.
I currently see two solutions:
Don’t use stored procedures: Just give INSERT/DELETE/SELECT privileges on the user's table only to the user. This is simple and works - but I'd prefer to only call stored procedures over JDBC, not arbitrary SQL queries.
Make a stored procedure for EVERY user, in which the table prefix is invariant (e.g, table-prefix_MyProcedure(), which is only executable by one user). Then, assign the execution privilege only to the corresponding user. However, this should be done automatically on request - hence, I need to be able to create a stored procedure with a parameterized name to set this up (phew). As the title suggests, this is the way I want to go - but I really struggle with the syntax of dynamically creating a stored procedure (in a stored procedure) and thus, I'm really not sure if this is how I should proceed.
Any ideas how I got approach this problem?
Regards,
raute
Related
set #sourcedb = 'testdb1' set #destinationdb = 'testdb2' CREATE TABLE IF NOT EXISTS #destinationdb.Testtable Like #sourcedb.Testtable;
I have tried copy one table from one database to another database with same name.
how to pass database name as a parameter?
I've tried that before but id doesn't work. I wonder if there's a way to that way though. In the meantime I'm just using prepared statement instead. See example query below:
SET #ctable='CREATE TABLE testdb12.testtable LIKE testdb21.testtable';
PREPARE stmt FROM #ctable;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
Now, I don't really know your usage but in my case, I use this to create a new table on the 1st every month. So I keep this query in a text file, use a batch script to call it and then use task schedule to execute it every 1st of the month (yes, I'm using Windows). Hopefully, this might be what you're looking for.
*I found this solution in one of the answer here but I can't remember/didn't bookmark the solution. I would like to credit this properly.
Edit : I found this mysql create table dynamically .. maybe you can use it
I want to take database script backup every day using event in mySql ..I am new to mySql , so unable to find out exact solution..can anybody help me to do so??
Tried it using mysqldump utility but it is command promt oriented , i want it to be done through event scheduler only.
DELIMITER $$
create EVENT `Backup`
ON SCHEDULE EVERY 1 minute
STARTS '2016-02-25 17:08:06' ON COMPLETION PRESERVE ENABLE
DO
BEGIN
SET #sql_text = CONCAT("SELECT * FROM purpleaid INTO OUTFILE '/C:/Users/Admin123/Desktop/db/" , DATE_FORMAT( NOW(), '%Y%m%d') , "db.csv'" );
PREPARE s1 FROM #sql_text;
EXECUTE s1;
DEALLOCATE PREPARE s1;
END $$
DELIMITER ;
tried this , but its for single table only.I want complete database script
You can use information_schema.tables table to get list of tables within a database, and information_schema.columns table to get list of columns (just in case you want to have column names included in the backup files).
Create a cursor by getting all table names from your database
Loop through the cursor and get the table name into a variable
Construct your select ... into outfile ... statements the same way as you do in your current code, just add the table name from the variable.
Execute the prepared statement.
If you want to add the column names dynamically to the output, then combine Joe's and matt's answers from this SO topic.
UPDATE
For views, stored procedures, functions, and triggers (and tables, for that matter) the issue is that you can't really interact with show create ... statements' results within sql. You can try to recreate their definitions from their respective information_schema tables, but as far as I know, it is not possible to fully reconstruct each object just based on these tables. You need to use an external tool for that, such us mysqldump. If you want a full backup option, then you would be a lot better off, if you used an external tool, that is scheduled by the OS' task scheduler.
Since table structures and other database objects do not change that often (at least, not in production), you can use external tool to back up the structure and use the internal scheduled script to regularly back up the contents.
I need to use user variable in prepare statement of mysql
stored procedure. (The purpose is to substitute the table name in
drop table command, which is unable to be injected via ? and
passed via execute using... statement because it is not a data element).
I suppose the user variables are session-wide global variables.
I suppose the stored procedure accessing the user variable must be
synchronized to protect against unwanted behaviour when it is called
simultaneously more times within single session (which I cannot prevent).
How to perform such synchronization?
Is there any chance it is performed internally by the mysql?
It seems like mysql get_lock() & co. uses logic that does not help much:
get_lock('a') followed by get_lock('b') destroys state of a. Maybe I have terribly missed some point here...
For those who would ask the "what exactly would you like to do" question:
drop procedure if exists drop_t_table; delimiter $$
create procedure drop_t_table(in in_t_table_name varchar(128))
begin
declare sql_drop varchar(256) default 'drop temporary table if exists ';
--
-- I would suspect sql_drop_table user variable guard should be locked here...
--
set #sql_drop_table = concat(sql_drop, in_t_table_name);
--
-- What if the procedure is preempted to another call here
-- and the sql_drop_table gets different table name?
--
prepare exe from #sql_drop_table;
--
-- ...and unlocked here
--
execute exe;
deallocate prepare exe;
end$$ delimiter ;
Variables declared within your stored procedure are local to the procedure. An example is sql_drop in your code.
Each session is, basically, single-threaded. You can't do more than one thing at a time within a session. There's no way to call a stored procedure more than once from within a particular session.
If you have more than one session you can call the same stored procedure from both of them. But, a DROP TABLE operation is basically idempotent: If you call it more than once, it has the same effect as calling it just once. It isn't precisely idempotent: it throws an error if the table doesn't exist. But, still, dropping the same table more than once isn't any more destructive than dropping it once.
Temporary tables (a) are only visible to the session that created them, and (b) vanish when the session ends. So, going to a lot of trouble to drop them explicitly might be overkill.
So, with respect, you might be overthinking this problem.
I have execute only access to a stored procedure.
This SP seems to select some data from multiple tables, and returns one row. I need to store two columns of the output of this SP into a table.
Is there any way to do this within MySQL?
If it returns a row, this is a stored function and not a stored procedure. You can use something like the following to insert into your table:
INSERT INTO tablename SELECT (SELECT col1, col2 FROM (SELECT somefunction()))
Otherwise, it will be a stored procedure and you should do something like this, assuming that #var1 and #var2 are output parameters:
CALL someprocedure(#var1, #var2, #var3)
INSERT INTO tablename SELECT(#var1, #var2)
See the documentation about Create Procedure and Create Function for more information about functions versus procedures.
MySQL has an extension to stored procedures that allows the procedure to return one or more result sets to the client, as if the client had issued a SELECT query... but those results are ephemeral. They don't persist and they can't be stored in variables or otherwise accessed after the procedure finishes -- they can only be "fetched" the one time.
There is a way to make them accessible without breaking the way the procedure already works, as I discussed here, but you can't do it without a change to the procedure:
How to use Table output from stored MYSQL Procedure
The idea is for the procedure to write its output in a temporary table, and then return it to the caller by calling SELECT against the temporary table -- but to leave the temporary table behind so that the caller can access it directly if desired.
That's not exactly the same as what you're asking though, which is why I didn't mark this question as a duplicate, since you, unlike the other poster, do not appear to have administrative control of the procedure... but unless you can make the case for a change like this, there's not another way within MySQL to access those returned values, since they only exist in the result-set that's returned.
Of course, procedures do have optional OUT parameters, where you can hand variables to the procedure as part of arguments you use to call it, and it can set those variables, so that they'll have the values you need when the procedure is done, but that only works when the return values are scalars and would require a change to the procedure's interface, since procs in MySQL do not have "optional" arguments... if the procedure were changed to permit this, it would require an increased number of arguments to be provided every time it was called, and if other components are calling it, that could easily break other things.
I know that in triggers you have the keywords NEW and OLD to refer to the entry that is being, or was, inserted into the table to which the trigger is bound. Are there any other keywords? I'm looking for one specifically that reference's the table that the trigger is bound to (like CUR_TABLE, or something); this way I can copy the trigger and apply it to several tables with different names and not need to alter the body of the trigger? Thanks in advance for any help!
Dynamic SQL cannot be used in triggers. For the trigger to exist, then the developer already knows what table he's in - so the table name should theoretically be hard coded.
If you are generating triggers, from say a stored procedure, you can generate them with variable table names - but cannot execute them (so you would have to take the result of the stored procedure and execute it separately).
See: http://dev.mysql.com/doc/refman/5.6/en/stored-program-restrictions.html
SQL prepared statements (PREPARE, EXECUTE, DEALLOCATE PREPARE) can be used in stored procedures, but not stored functions or triggers. Thus, stored functions and triggers cannot use dynamic SQL (where you construct statements as strings and then execute them).
This is not possible in MySQL. You may do a small PHP script that generates the code for each "table name" in an array :)