This is my stored procedure to search throgh all databases,tables and columns. This procedure got created with out any error.
DELIMITER $$
DROP PROCEDURE IF EXISTS `mydb`.`get_table`$$
CREATE DEFINER=`root`@`%` PROCEDURE `get_table`(in_search varchar(50))
READS SQL DATA
BEGIN
DECLARE trunc_cmd VARCHAR(50);
DECLARE search_string VARCHAR(250);
DECLARE db,tbl,clmn CHAR(50);
DECLARE done INT DEFAULT 0;
DECLARE COUNTER INT;
DECLARE table_cur CURSOR FOR
SELECT concat('SELECT COUNT(*) INTO @CNT_VALUE FROM ',
table_schema,'.', table_name,
' WHERE ', column_name,' REGEXP ''',in_search,''''
)
,table_schema,table_name,column_name
FROM information_schema.COLUMNS
WHERE TABLE_SCHEMA NOT IN ('mydb','information_schema');
DECLARE CONTINUE HANDLER FOR NOT FOUND SET done=1;
# #Truncating table for refill the data for new search.
PREPARE trunc_cmd FROM 'TRUNCATE TABLE temp_details';
EXECUTE trunc_cmd ;
OPEN table_cur;
table_loop:LOOP
FETCH table_cur INTO search_string,db,tbl,clmn;
# #Executing the search
SET @search_string = search_string;
SELECT search_string;
PREPARE search_string FROM @search_string;
EXECUTE search_string;
SET COUNTER = @CNT_VALUE;
SELECT COUNTER;
IF COUNTER>0 THEN
# # Inserting required results from search to table
INSERT INTO temp_details VALUES(db,tbl,clmn);
END IF;
IF done=1 THEN
LEAVE table_loop;
END IF;
END LOOP;
CLOSE table_cur;
# #Finally Show Results
SELECT * FROM temp_details;
END$$
DELIMITER ;
But when calling this procedure following error occurs.
call get_table('aaa')
Error Code : 1064 You have an error in your SQL syntax; check the manual that 开发者_开发问答 corresponds to your MySQL server version for the right syntax to use near 'delete REGEXP 'aaa'' at line 1 (0 ms taken)
Where does "delete" come from? Do you have a column_name with that name? If so, use better names, not reserved ones, or use nasty backticks ` or ANSI-quotes " around the column name.
Constructions like this are vulnerable to SQL injection.
精彩评论