Simple SELECT query returning inaccurate results! (MySQL bug?)

Tea_J

Hi guys

i have a table for products, w/ product IDs (pid) as its index integer type column.

now... if i do a query:

SELECT summary
FROM products
WHERE
pid='722'

it returns product 722, say for example milk

that's normal and expected yes. but then when i do

SELECT summary
FROM products
WHERE
pid='722z'

adding a "z" after the pid, mysql ALSO returns product 722 .. so im like wtf?

and even if i ad more zzzaa whatever after the "722" mysql still returns that same product..

I dont have a product 722z , it's actually just a typo i stumbled upon and i was surprise to see that mysql was returning results even if there are characters after the pid .. i would expect this in an SQL statement invovling %like% but not "=" as this is supposed to be exact..

What's wrong w/ this? is this a known bug?

regards

bradgrafelman

Tea_J wrote:
What's wrong w/ this? is this a known bug?

Yup - it's a well known bug. The bug is you, however, not MySQL. 😉

If pid is a numeric column, why are you comparing it to a string? Don't compare apples to oranges and you won't get this unexpected behavior. I suspect MySQL is attempting to coerce the string into a number that it can actually use to perform the comparison, and I also suspect that this type casting gets performed quite similar to what PHP would do. Example:

$var[] = (int)"727";
$var[] = (int)"727zzz";
$var[] = (int)"727 and anything that isn't a number, since PHP will stop at that point.";

var_dump($var);

Output:

array(3) {
  [0]=>
  int(727)
  [1]=>
  int(727)
  [2]=>
  int(727)
}

Furthermore, I suspect that you don't have MySQL set in strict mode (something I always do). From the MySQL manual for STRICT_ALL_TABLES (one of the 'strict modes'):

MySQL Manual wrote:
Enable strict mode for all storage engines. Invalid data values are rejected.

Set MySQL in strict mode and then execute those queries again.

johanafm

bradgrafelman;10983142 wrote:
I suspect MySQL is attempting to coerce the string into a number that it can actually use to perform the comparison, and I also suspect that this type casting gets performed quite similar to what PHP would do.

Sort of, but worse. Both the int and the string are converted to floats, which means that a string and an integer that look the same to the eye may very well end up being different due to float precision issues and rounding in the conversion process.

bradgrafelman;10983142 wrote:
Furthermore, I suspect that you don't have MySQL set in strict mode (something I always do).
Set MySQL in strict mode and then execute those queries again.

Acutally I believe those queries will still succeed without warnings, since Tea_J's dealing with comparisons.

But either way, there is no good reason not to use integers as integers, strings as strings etc. That goes both for int_field = 722 as well as numeric_varchar_field = '722'

Tea_J

ey guys, and thanks much for clarification brad...

1st of all, i'm glad to know there's nothing wrong w/ my MySQL installation lolz

Just for clarifcation though, ofcourse I use the data types properly, i just accidentaly added "z" at the end of one of my SQL statements (from one of my CNTRL+Z (undo) actions perhaps... and I just found it now in my code.. i didnt really know it was there since everything was working normally hehe.. So i just wondered..

As for the strict setting, you know , i didnt even know it's there haha..

Thanks very much

johanafm

Tea_J;10983135 wrote:
WHERE pid='722'

Tea_J;10983222 wrote:
I use the data types properly

I disagree. If you did, the above where clause would be

WHERE pid=722

You id field is an integer after all, isn't it?

Tea_J

yes it's integer, and yes i quoted it as i always do when i make select statements in my PHP scripts.. long story, but it's always worked for me..
plus i have a function that makes sql statements for me so i dnt need to pains takingly type each variable=value (or variable='value') pairing in my sql insert statements.. too redundant specially if dealing w/ a bunch of data.. ..

sql_insert($table,$variables);

eg $mySQL_stantement = sql_insert('customers','first_name,last_name,age,sex,address');

and i need not make that function complicated to figure out if im passing a variable w/ string or integer to decide wther to single quote the value part

var=value VS var='value'

😛

johanafm

Tea_J;10983320 wrote:
yes it's integer, and yes i quoted it

Then your column is integer, but no, the data passed to it is not - it's a string literal.

-- integer
1
-- string
'1'

Which means that you are passing a string to be stored in a column with data type integer => type converstion needed.

Tea_J;10983320 wrote:
it's always worked for me..

which doesn't mean that it always will work, or that it's a good idea to do it that way.

SELECT '18015376320243459' = 18015376320243459;

produces 0 (false)

Tea_J;10983320 wrote:
sql_insert($table,$variables);

and i need not make that function complicated to figure out if im passing a variable w/ string or integer to decide wther to single quote the value part

var=value VS var='value'

which leads me to wonder if you deal with validation of user input. For example, since you pass neither data, nor a connection handle to sql_insert() which takes only 2 parameters instead of the expected 4, are you referencing $_POST variables directly and making use of global directive to reference your db connection handle, or do you not use mysql_real_escape_string?
I.e. can the user, by forging their own post request, manage SQL injection.

And no, it doesn't need to be complicated to get it done properly

$link = mysql_connect('ip','user','pass');

# Deals with creating the query, casting data to its proper type,
# uses mysql_real_escape_string to make strings safe
# and also disregards any value which is not explicitly permitted
function createInsertQuery($table, $fields, $values, $link)
{
	if (count($fields) == 0 || count($values) == 0)
		return '';
	$useFields = array();
	$useValues = array();
	foreach ($fields as $name => $type)
	{
		if (isset($values[$name]))
		{
			$useFields[] = $name;
			switch ($type)
			{
				case 'i':
					$useValues[] = (int) $values[$name];
					break;
				case 'f':
					$useValues[] = (float) $values[$name];
					break;
				default:
					$useValues[] = sprintf("'%s'",
									mysql_real_escape_string($values[$name], $link));
					break;
			}
		}
	}
	return sprintf('INSERT INTO `%s`(%s) VALUES(%s)',
				$table,
				implode(', ', $useFields),
				implode(', ', $useValues)
			);
}

# Specifies which fields _may_ be included in the query and what table to use.
# Fields are only included if $post actually contains corresponding data.
function addUserQuery($post, $link)
{
	static $fields = array(
		'name' => 's',
		'rank' => 'i',
		'score' => 'f'
	);

return createInsertQuery('user', $fields, $post, $link);
}
$_POST = array(
	'name' => "O'brien",
# if data for some field is not supplied, it will of course not be included in the insert query
#	'rank' => '4',
	'score' => '5.3',
# nor will data that is not explicitly allowed
	'forged_post_reguest' => 'whatever'
);

$query = addUserQuery($_POST, $link);