New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot execute stored procedure #14787

Closed
alfemy opened this Issue Dec 16, 2018 · 7 comments

Comments

Projects
None yet
4 participants
@alfemy
Copy link

alfemy commented Dec 16, 2018

Describe the bug

Cannot execute a stored procedure. Nothing happens when a user clicks to "Execute" routine button

To Reproduce

  • phpMyAdmin 4.8.4

Steps to reproduce the behavior:

  1. Create a DB
  2. Create a stored procedure. For example:
DELIMITER //  
CREATE PROCEDURE `p2` ()  
LANGUAGE SQL  
DETERMINISTIC  
SQL SECURITY DEFINER  
COMMENT 'A procedure'  
BEGIN  
    SELECT 'Hello World !';  
END//
  1. Execute the stored procedure: Go to 'routines -> p2 -> execute'

Actual behavior

  1. The stored procedure was executed
  2. "Hello World!" was not be displayed

Expected behavior

  1. The stored procedure was executed
  2. "Hello World!" was displayed

Screenshots

screencast 2018-12-16 18-37-42

Server configuration

  • Operating system: Checked at Centos 7 and at Docker
  • Web server: Nginx
  • Database version: 10.0.37-MariaDB-1~xenial
  • phpMyAdmin version: 4.8.4

Additional context

Checked at Centos 7 and using official phpMyAdmin docker image. There is no such issue in phpMyAdmin 4.8.3 version. A stored procedure may be executed via SQL console but cannot be executed using "routines" menu

@williamdes williamdes added the bug label Dec 18, 2018

@williamdes williamdes added this to the 4.8.4.1 milestone Dec 18, 2018

@williamdes

This comment has been minimized.

Copy link
Member

williamdes commented Dec 18, 2018

git bisect found that d927998 is the first bad commit

@williamdes

This comment has been minimized.

Copy link
Member

williamdes commented Dec 18, 2018

NOTES: With parameters: uses GET, without : uses POST

@williamdes

This comment has been minimized.

Copy link
Member

williamdes commented Dec 18, 2018

DELIMITER //
CREATE PROCEDURE p3(IN `id` INT(11) UNSIGNED)
LANGUAGE SQL DETERMINISTIC
SQL SECURITY DEFINER COMMENT 'A procedure'
BEGIN
     SELECT 'Hello World !',id;
END//
@williamdes

This comment has been minimized.

Copy link
Member

williamdes commented Dec 18, 2018

@ibennetch What should we do ?

  • Revert for Routines.php::handleExecute and use $_REQUEST
  • Use POST everywhere and remove link on execute button
  • Use GET everywhere (security?)
@ibennetch

This comment has been minimized.

Copy link
Member

ibennetch commented Dec 24, 2018

I'm not sure what the ideal solution is here. We can't expose a security vulnerability, but maybe there are ways to work around it, I'm just not very familiar with how this bit of code works.

Perhaps @madhuracj and @mauriciofauth have some input?

@madhuracj

This comment has been minimized.

Copy link
Member

madhuracj commented Dec 26, 2018

IMO, POST should be used whenever the request performs any changes. See #6297 (comment).

@ibennetch

This comment has been minimized.

Copy link
Member

ibennetch commented Jan 8, 2019

Has there been any more progress on getting this bug fixed?

@madhuracj madhuracj self-assigned this Jan 9, 2019

@madhuracj madhuracj closed this in 8b836fc Jan 9, 2019

@madhuracj madhuracj modified the milestones: 4.8.4.1, 4.8.5 Jan 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment