Jjj Jjj - 3 months ago 9
MySQL Question

MySQL stored procedure, strange invalid results

I have a stored procedure called UserLogin, here is the code.

The parameters:

username varchar(200), user_pass varchar(200), ip varchar(50)


The code:

BEGIN

# find user in the database by the username and user_pass parameters
select id_member, passwd into @user_id, @password
from smf_forummembers
where member_name = username and passwd = user_pass;

if @user_id is null or @password is null THEN
select "mismatch" as result;
else
# check the user is banned (returns a result with time)
set @time = IsUserBannedSMF(@user_id);
if @time is not null THEN
select "banned" as result, @time as time;
ELSE
BEGIN
# remove any old session
delete from sessions
where sess_usr_id = @user_id;

# return the data
select "auth" as result, @user_id as user_id, @password as pass, user_pass as pass1;
end;
end if;
end if;

END


I have a automated test program running to post do 3 jobs. These being 3 web calls, invalid, valid and the same invalid test as before.

First web call, invalid;

QUERY : CALL UserLogin('testUser1','1234','::ffff:127.0.0.1');
ROWS : [ { result: 'mismatch' } ]


Second web call, valid;

QUERY : CALL UserLogin('testUser1','2ff4b7ec337310be7828906c6862b48f95384f9f','::ffff:127.0.0.1');
ROWS : [ { result: 'auth',
user_id: 28,
pass: '2ff4b7ec337310be7828906c6862b48f95384f9f',
pass1: '2ff4b7ec337310be7828906c6862b48f95384f9f' } ]


Third web call, same invalid test as one;

QUERY : CALL UserLogin('testUser1','1234','::ffff:127.0.0.1');
ROWS : [ { result: 'auth',
user_id: 28,
pass: '2ff4b7ec337310be7828906c6862b48f95384f9f',
pass1: '1234' } ]


The third web call should fail, like the first web call, but returns a valid result from the query, I don't understand how this is happening. Does MySQL cache things?

I can fix this by doing a manual if statement to check the password but at the same time I don't want to ignore why this is failing.

Answer

Make changes as suggested below:

Initialize both var just after begin:

BEGIN
set @user_id=null;
set @password=null;
# find user in the database by the username and user_pass parameters

In case of no rows found in first select statement, both variable contains previously assigned value.

Comments