Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot execute stored procedure #14787

Closed
alfemy opened this issue Dec 16, 2018 · 7 comments
Closed

Cannot execute stored procedure #14787

alfemy opened this issue Dec 16, 2018 · 7 comments
Assignees
Labels
Milestone

Comments

@alfemy
Copy link

@alfemy alfemy commented Dec 16, 2018

Describe the bug

Cannot execute a stored procedure. Nothing happens when a user clicks to "Execute" routine button

To Reproduce

  • phpMyAdmin 4.8.4

Steps to reproduce the behavior:

  1. Create a DB
  2. Create a stored procedure. For example:
DELIMITER //  
CREATE PROCEDURE `p2` ()  
LANGUAGE SQL  
DETERMINISTIC  
SQL SECURITY DEFINER  
COMMENT 'A procedure'  
BEGIN  
    SELECT 'Hello World !';  
END//
  1. Execute the stored procedure: Go to 'routines -> p2 -> execute'

Actual behavior

  1. The stored procedure was executed
  2. "Hello World!" was not be displayed

Expected behavior

  1. The stored procedure was executed
  2. "Hello World!" was displayed

Screenshots

screencast 2018-12-16 18-37-42

Server configuration

  • Operating system: Checked at Centos 7 and at Docker
  • Web server: Nginx
  • Database version: 10.0.37-MariaDB-1~xenial
  • phpMyAdmin version: 4.8.4

Additional context

Checked at Centos 7 and using official phpMyAdmin docker image. There is no such issue in phpMyAdmin 4.8.3 version. A stored procedure may be executed via SQL console but cannot be executed using "routines" menu

@williamdes williamdes added the bug label Dec 18, 2018
@williamdes williamdes added this to the 4.8.4.1 milestone Dec 18, 2018
@williamdes
Copy link
Member

@williamdes williamdes commented Dec 18, 2018

git bisect found that d927998 is the first bad commit

@williamdes
Copy link
Member

@williamdes williamdes commented Dec 18, 2018

NOTES: With parameters: uses GET, without : uses POST

@williamdes
Copy link
Member

@williamdes williamdes commented Dec 18, 2018

DELIMITER //
CREATE PROCEDURE p3(IN `id` INT(11) UNSIGNED)
LANGUAGE SQL DETERMINISTIC
SQL SECURITY DEFINER COMMENT 'A procedure'
BEGIN
     SELECT 'Hello World !',id;
END//
@williamdes
Copy link
Member

@williamdes williamdes commented Dec 18, 2018

@ibennetch What should we do ?

  • Revert for Routines.php::handleExecute and use $_REQUEST
  • Use POST everywhere and remove link on execute button
  • Use GET everywhere (security?)
@ibennetch
Copy link
Member

@ibennetch ibennetch commented Dec 24, 2018

I'm not sure what the ideal solution is here. We can't expose a security vulnerability, but maybe there are ways to work around it, I'm just not very familiar with how this bit of code works.

Perhaps @madhuracj and @mauriciofauth have some input?

@madhuracj
Copy link
Contributor

@madhuracj madhuracj commented Dec 26, 2018

IMO, POST should be used whenever the request performs any changes. See #6297 (comment).

@ibennetch
Copy link
Member

@ibennetch ibennetch commented Jan 8, 2019

Has there been any more progress on getting this bug fixed?

@madhuracj madhuracj self-assigned this Jan 9, 2019
@madhuracj madhuracj closed this in 8b836fc Jan 9, 2019
@madhuracj madhuracj modified the milestones: 4.8.4.1, 4.8.5 Jan 9, 2019
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants