I am trying to create a stored procedure in MySQL which is not supposed to be vulnerable to SQL injection. Hence I am using prepared statements inside this. I have a Patient table to which I want to add data using this procedure. This is what my stored procedure looks like.
DROP PROCEDURE IF EXISTS CreatePatient;
DELIMITER ##
CREATE PROCEDURE CreatePatient (IN alias VARCHAR(20))
BEGIN
PREPARE q1 FROM 'insert into Patient values (?)';
set #alias = alias;
EXECUTE q1 USING #alias;
END ##
DELIMITER ;
When I tried to run this without setting a new variable #alias,
EXECUTE q1 USING alias;
I am getting an SQL syntax error. From my understanding, it doesn't seem right to create a variable within the method body just to assign it the input variable to the procedure. What am I missing here?
Mysql has 3 types of variables
User Defined Variables
Local variables
session variables
User defined variables have session scope while local variables have a block scope i.e within BEGIN-END Block.
Because local variables are in scope only during stored program execution, references to them are not permitted in prepared statements created within a stored program. Prepared statement scope is the current session, not the stored program, so the statement could be executed after the program ends, at which point the variables would no longer be in scope. For example, SELECT ... INTO local_var cannot be used as a prepared statement. This restriction also applies to stored procedure and function parameters
See official docs
I wrote a stored procedure (sp_archivev3) on MySQl Workbench which is as follows. Basically, Inserting values from one database to another.
-- --------------------------------------------------------------------------------
-- Routine DDL
-- Note: comments before and after the routine body will not be stored by the server
-- --------------------------------------------------------------------------------
DELIMITER $$
CREATE DEFINER=`MailMe`#`%` PROCEDURE `sp_archivev3`()
BEGIN
INSERT INTO
send.sgev3_archive(a_bi,
b_vc,
c_int,
d_int,
e_vc,
f_vc,
g_vc,
h_vc,
i_dt,
j_vc,
k_vc,
l_vc,
m_dt,
n_vch,
o_bit)
SELECT a_bi,
b_vc,
c_int,
d_int,
e_vc,
f_vc,
g_vc,
h_vc,
i_dt,
j_vc,
k_vc,
l_vc,
m_dt,
n_vch,
o_bit
FROM send.sgev3
WHERE m_dt BETWEEN '2014-06-09' AND CURDATE();
END
When I run call sp_archivev3(); , I get an error with an error code 1046: No database
selected SELECT the default DB to be used by double-clicking its name in the SCHEMAS list in the sidebar.
Please let me know what's wrong with my stored procedure.
The problem is that MySQL doesn't know which procedure named sp_archivev3 is supposed to be executed; MySQL doesn't know which database to look in. (Stored programs are objects in a specific database, just like tables are objects in a specific database.)
Either specify the current database with USE statement:
use mydatabase;
call sp_archivev3();
or qualify the procedure with the name of database:
call mydatabase.sp_archivev3();
Problem
I have a stored procedure:
CREATE PROCEDURE `ProblematicProcedure` (IN dbName varchar(50), IN tableId INT)
MODIFIES SQL DATA
BEGIN
DROP VIEW IF EXISTS v1;
DROP VIEW IF EXISTS v2;
CALL ExecuteSql(CONCAT("CREATE VIEW v1 AS SELECT * FROM ",dbName,".my_table;"));
CALL ExecuteSql(CONCAT("CREATE VIEW v2 AS SELECT * FROM ",dbName,".table_",tableId,";"));
...
When called directly from command line or a client like Navicat or HeidiSql, it works well:
CALL ProblematicProcedure("my_schema",1);
But if called from a custom Apache module using the exactly same line above, it crashes on first ExecuteSql call. I have to make it work when called from the Apache module and couldn't find a reason to crash.
ExecuteSql definition
CREATE PROCEDURE ExecuteSql (IN sql_str TEXT)
BEGIN
SET #query = sql_str;
PREPARE stm FROM #query;
EXECUTE stm;
DEALLOCATE PREPARE stm;
END
What I tried?
Swapped two ExecuteSql calls.
Inlined ExecuteSql calls.
Removed ExecuteSql's and used direct SQL statements with hardcoded dbName and tableId values.
Created procedure without MODIFIES SQL DATA.
Granted CREATE VIEW privilege: GRANT ALL ON *.* TO 'myuser'#'%';
Note: I added simple insert statements between the lines to find where it is crashing. So, I am sure it crashes always on first ExecuteSql call.
Question
What can be reason to this crash?
Update: Finally, I managed to find error code:
ERROR 1312: Procedure can't return a result set in the given context
Solution
Use CLIENT_MULTI_STATEMENTS flag when connecting:
mysql_real_connect(conn, host, user, pass, db, 0, NULL, CLIENT_MULTI_STATEMENTS);
Why this is so?
Calling a stored procedure means executing multiple statements. So, I need to specify that I can execute multiple statements at once. Hence I am using MySql C API functions at client-side (in my Apache module), I need to specify CLIENT_MULTI_STATEMENTS flag when connecting:
mysql_real_connect(conn, host, user, pass, db, 0, NULL, CLIENT_MULTI_STATEMENTS);
Or set it later:
mysql_set_server_option(MYSQL_OPTION_MULTI_STATEMENTS_ON);
I learnt those from the C API Handling of Multiple Statement Execution page.
How I Debugged?
Debugging a stored procedure is not so easy. I used traditional log-table method, but performed a bit aggresively about finding the error code.
Firstly, defined two variables to keep the code and message about the error occurred:
DECLARE E INT DEFAULT 0; -- error code
DECLARE M TEXT DEFAULT NULL; -- error message
Then, defined possible error codes and messages both for client and server errors (full list here):
DECLARE CONTINUE HANDLER FOR 1000 SET E='1000', M="hashchk";
DECLARE CONTINUE HANDLER FOR 1001 SET E='1001', M="isamchk";
...
...
DECLARE CONTINUE HANDLER FOR 1312 SET E='1312', M="PROCEDURE %s can't return a result set in the given context";
...
...
DECLARE CONTINUE HANDLER FOR 1638 SET E='1638', M="Non-ASCII separator arguments are not fully supported";
DECLARE CONTINUE HANDLER FOR 1639 SET E='1639', M="debug sync point wait timed out";
DECLARE CONTINUE HANDLER FOR 1640 SET E='1640', M="debug sync point hit limit reached";
...
...
DECLARE CONTINUE HANDLER FOR 2057 SET E='2057', M="The number of columns in the result set differs from the number of bound buffers. You must reset the statement, rebind the result set columns, and execute the statement again";
And finally, put logs in critical points:
IF E> 0 THEN
CALL WriteLog(CONCAT("Error ", E, ": ", M));
END IF;
WriteLog is another procedure that only inserts into a log table. This method gave me the error code (1312) and then some Googling worked.
I am having a strange problem with MySQL Stored Procedure.
I have written a simple stored procedure as follows:
{
DELIMITER $$
CREATE DEFINER=`username`#`%` PROCEDURE `sp_create_my_log`(IN source TEXT,
OUT my_id INT)
BEGIN
--
-- insert record and return primary key
INSERT INTO my_log (source) VALUES (source);
SET my_id = LAST_INSERT_ID();
COMMIT;
END
}
This stored procedure is running absolutely fine on my local machine (MySQL Server 5.1, Windows XP). But when I try to run it on the server, I get the following error:
java.sql.SQLException: Parameter index of 2 is out of range (1, 0)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1075)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:989)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:984)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:929)
at com.mysql.jdbc.CallableStatement$CallableStatementParamInfo.checkBounds(CallableStatement.java:274)
at com.mysql.jdbc.CallableStatement.checkParameterIndexBounds(CallableStatement.java:710)
at com.mysql.jdbc.CallableStatement.checkIsOutputParam(CallableStatement.java:672)
at com.mysql.jdbc.CallableStatement.registerOutParameter(CallableStatement.java:1846)
at org.apache.commons.dbcp.DelegatingCallableStatement.registerOutParameter(DelegatingCallableStatement.java:95)
at org.apache.commons.dbcp.DelegatingCallableStatement.registerOutParameter(DelegatingCallableStatement.java:95)
at com.mycomp.myprj.importer.ImporterImpl.onPreLoad(ImporterImpl.java:160)
at com.mycomp.myprj.importer.csv.FileImporter.load(FileImporter.java:43)
at com.mycomp.myprj.importer.csv.MyImporter.main(MyImporter.java:82)
0.843 seconds
Any idea why this is happening?
Just a wild guess (I'm more an Oracle than a MySQL kind of guy):
- Did you perhaps declare your parameter in Java wrong? (my_id is declared as an out parameter in the stored procedure, do the signatures in Java and MySQL match?)
- What happens if you call your procedure from the MySQL command line interface?
Kind regards, Frank
My current process for debugging stored procedures is very simple. I create a table called "debug" where I insert variable values from the stored procedure as it runs. This allows me to see the value of any variable at a given point in the script, but is there a better way to debug MySQL stored procedures?
The following debug_msg procedure can be called to simply output a debug message to the console:
DELIMITER $$
DROP PROCEDURE IF EXISTS `debug_msg`$$
DROP PROCEDURE IF EXISTS `test_procedure`$$
CREATE PROCEDURE debug_msg(enabled INTEGER, msg VARCHAR(255))
BEGIN
IF enabled THEN
select concat('** ', msg) AS '** DEBUG:';
END IF;
END $$
CREATE PROCEDURE test_procedure(arg1 INTEGER, arg2 INTEGER)
BEGIN
SET #enabled = TRUE;
call debug_msg(#enabled, 'my first debug message');
call debug_msg(#enabled, (select concat_ws('','arg1:', arg1)));
call debug_msg(TRUE, 'This message always shows up');
call debug_msg(FALSE, 'This message will never show up');
END $$
DELIMITER ;
Then run the test like this:
CALL test_procedure(1,2)
It will result in the following output:
** DEBUG:
** my first debug message
** DEBUG:
** arg1:1
** DEBUG:
** This message always shows up
I do something very similar to you.
I'll usually include a DEBUG param that defaults to false and I can set to true at run time. Then wrap the debug statements into an "If DEBUG" block.
I also use a logging table with many of my jobs so that I can review processes and timing. My Debug code gets output there as well. I include the calling param name, a brief description, row counts affected (if appropriate), a comments field and a time stamp.
Good debugging tools is one of the sad failings of all SQL platforms.
How to debug a MySQL stored procedure.
Poor mans debugger:
Create a table called logtable with two columns, id INT and log VARCHAR(255).
Make the id column autoincrement.
Use this procedure:
delimiter //
DROP PROCEDURE `log_msg`//
CREATE PROCEDURE `log_msg`(msg VARCHAR(255))
BEGIN
insert into logtable select 0, msg;
END
Put this code anywhere you want to log a message to the table.
call log_msg(concat('myvar is: ', myvar, ' and myvar2 is: ', myvar2));
It's a nice quick and dirty little logger to figure out what is going on.
Yes, there is a specialized tools for this kind of thing - MySQL Debugger.
There are GUI tools for debugging stored procedures / functions and scripts in MySQL. A decent tool that dbForge Studio for MySQL, has rich functionality and stability.
Debugger for mysql was good but its not free. This is what i use now:
DELIMITER GO$
DROP PROCEDURE IF EXISTS resetLog
GO$
Create Procedure resetLog()
BEGIN
create table if not exists log (ts timestamp default current_timestamp, msg varchar(2048)) engine = myisam;
truncate table log;
END;
GO$
DROP PROCEDURE IF EXISTS doLog
GO$
Create Procedure doLog(in logMsg nvarchar(2048))
BEGIN
insert into log (msg) values(logMsg);
END;
GO$
Usage in stored procedure:
call dolog(concat_ws(': ','#simple_term_taxonomy_id', #simple_term_taxonomy_id));
usage of stored procedure:
call resetLog ();
call stored_proc();
select * from log;
Another way is presented here
http://gilfster.blogspot.co.at/2006/03/debugging-stored-procedures-in-mysql.html
with custom debug mySql procedures and logging tables.
You can also just place a simple select in your code and see if it is executed.
SELECT 'Message Text' AS `Title`;
I got this idea from
http://forums.mysql.com/read.php?99,78155,78225#msg-78225
Also somebody created a template for custom debug procedures on GitHub.
See here
http://www.bluegecko.net/mysql/debugging-stored-procedures/
https://github.com/CaptTofu/Stored-procedure-debugging-routines
Was mentioned here
How to catch any exception in triggers and store procedures for mysql?
I'm late to the party, but brought more beer:
http://ocelot.ca/blog/blog/2015/03/02/the-ocelotgui-debugger/
and
https://github.com/ocelot-inc/ocelotgui
I tried, and it seems pretty stable, supporting Breakpoints and Variable inspection.
It's not a complete suite (just 4,1 Mb) but helped me a lot!
How it works:
It integrates with your mysql client (I'm using Ubuntu 14.04), and after you execute:
$install
$setup yourFunctionName
It installs a new database at your server, that control the debugging process. So:
$debug yourFunctionName('yourParameter')
will give you a chance to step by step walk your code, and "refreshing" your variables you can better view what is going on inside your code.
Important Tip: while debugging, maybe you will change (re-create the procedure). After a re-creation, execute: $exit and $setup before a new $debug
This is an alternative to "insert" and "log" methods.
Your code remains free of additional "debug" instructions.
Screenshot:
I just simply place select statements in key areas of the stored procedure to check on current status of data sets, and then comment them out (--select...) or remove them before production.
MySQL Connector/Net 6.6 has a feature to Debug Stored Procedures and Functions
Installing the Debugger
To enable the stored procedure debugger:
For Connector/Net 6.6: Install Connector/Net 6.6 and choose the Complete option.
For Connector/Net 6.7 and later: Install the product MySQL for Visual Studio, to which the stored procedure debugger belongs.
Starting the Debugger
To start the debugger, follow these steps:
Choose a connection in the Visual Studio Server Explorer.
Expand the Stored Procedures folder. Only stored procedures can be debugged directly. To debug a user-defined function, create a stored
procedure that calls the function.
Click on a stored procedure node, then right-click and from the context menu choose Debug Routine.
MySql Connector/NET also includes a stored procedure debugger integrated in visual studio as of version 6.6,
You can get the installer and the source here:
http://dev.mysql.com/downloads/connector/net/
Some documentation / screenshots:
https://dev.mysql.com/doc/visual-studio/en/visual-studio-debugger.html
You can follow the annoucements here:
http://forums.mysql.com/read.php?38,561817,561817#msg-561817
UPDATE: The MySql for Visual Studio was split from Connector/NET into a separate product, you can pick it (including the debugger) from here https://dev.mysql.com/downloads/windows/visualstudio/1.2.html (still free & open source).
DISCLAIMER: I was the developer who authored the Stored procedures debugger engine for MySQL for Visual Studio product.
The first and stable debugger for MySQL is in dbForge Studio for MySQL
I had use two different tools to debug procedures and functions:
dbForge - many functional mysql GUI.
MyDebugger - specialized tool for debugging ... handy tool for debugging.vote http://tinyurl.com/voteimg
MySQL user defined variable (shared in session) could be used as logging output:
DELIMITER ;;
CREATE PROCEDURE Foo(tableName VARCHAR(128))
BEGIN
SET #stmt = CONCAT('SELECT * FROM ', tableName);
PREPARE pStmt FROM #stmt;
EXECUTE pStmt;
DEALLOCATE PREPARE pStmt;
-- uncomment after debugging to cleanup
-- SET #stmt = null;
END;;
DELIMITER ;
call Foo('foo');
select #stmt;
will output:
SELECT * FROM foo
Toad mysql. There is a freeware version
http://www.quest.com/toad-for-mysql/
Answer corresponding to this by #Brad Parks
Not sure about the MySQL version, but mine was 5.6, hence a little bit tweaking works:
I created a function debug_msg which is function (not procedure) and returns text(no character limit) and then call the function as SELECT debug_msg(params) AS my_res_set, code as below:
CREATE DEFINER=`root`#`localhost` FUNCTION `debug_msg`(`enabled` INT(11), `msg` TEXT) RETURNS text CHARSET latin1
READS SQL DATA
BEGIN
IF enabled=1 THEN
return concat('** DEBUG:', "** ", msg);
END IF;
END
DELIMITER $$
CREATE DEFINER=`root`#`localhost` PROCEDURE `proc_func_call`(
IN RegionID VARCHAR(20),
IN RepCurrency INT(11),
IN MGID INT(11),
IN VNC VARCHAR(255)
)
BEGIN
SET #enabled = TRUE;
SET #mainQuery = "SELECT * FROM Users u";
SELECT `debug_msg`(#enabled, #mainQuery) AS `debug_msg1`;
SET #lastQuery = CONCAT(#mainQuery, " WHERE u.age>30);
SELECT `debug_msg`(#enabled, #lastQuery) AS `debug_msg2`;
END $$
DELIMITER