With MySQL 5.0, it's much easier to do SQL Injection attacks, because you can use UNION against information schema. You couldn't do this with the old SHOW commands.

i.e.

SELECT * FROM users WHERE id = $id;

becomes:

SELECT * FROM users WHERE id = 0 UNION 
SELECT group_concat(table_name) FROM information_schema.tables  
WHERE table_schema=DATABASE() group by table_schema;

The rules to a union in MySQL is that the second query must match the same number of columns as the first query. In this case, you can just keep changing it till you get the column count right:

SELECT group_concat(table_name), 1, 2, 3, 4 FROM information_schema.tables 
WHERE table_schema=DATABASE() group by table_schema;

I presented on these types of attacks here

mysql> create database attack;
Query OK, 1 row affected (0.00 sec)

mysql> use attack;
Database changed

mysql> create table users (id INT UNSIGNED NOT NULL PRIMARY KEY auto_increment, username varchar(30) NOT NULL, 
password char(32) NOT NULL, UNIQUE KEY (username));
Query OK, 0 rows affected (0.00 sec)

mysql> INSERT into users (username, password) VALUES ('morgo', MD5('my_password')),
 ('ted', MD5('another_password'));
Query OK, 2 rows affected (0.41 sec)
Records: 2  Duplicates: 0  Warnings: 0

mysql> SELECT * FROM users;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | morgo    | a865a7e0ddbf35fa6f6a232e0893bea4 |
|  2 | ted      | 280fb9194368f9d1d44f8ddcc13f2717 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)

mysql> CREATE TEMPORARY TABLE users_copy LIKE users;
Query OK, 0 rows affected (0.04 sec)

mysql> …

Well, if my perfectionist nature were allowed to run free, and if Peter et al's encyclopedic knowledge were somehow all transferred to paper, the second edition of High Performance MySQL would end up being the perfect encyclopedia of MySQL performance. But as it is, you're apparently going to have to settle for "very good." This quote by Sheeri Kritzer Cabral, one of our tech reviewers, really made my day:

I gotta hand it to Peter, Vadim, Arjen, and Baron. They know how to write a book!

And now I must begin a solid weekend of revisions... wish me luck!

I spent Thursday and Friday in Zurich, Switzerland visiting my friends Marcus and Caitlin and attending the Google Open Source Jam.

On Thursday, I arrived in the early afternoon in Zurich. Getting to Zurich from Siegburg is easy and takes less than five hours as there is a direct ICE connection to Basel and from there it is just one more stop with an …

Two of XAMPP's four main components were updated within the last few days and now we're ready with the first beta version of the next XAMPP release.

New in this beta are: PHP5 (5.2.5), MySQL (5.0.51), phpMyAdmin (2.11.3), and some Windows-specific packages in the Windows version of XAMPP.

XAMPP beta versions are always for testing purposes only. There will be no upgrade packages from and to beta versions. To all testers: Many thanks in advance!!

Get the downloads at XAMPP BETA.

Well, if my perfectionist nature were allowed to run free, and if Peter et al’s encyclopedic knowledge were somehow all transferred to paper, the second edition of High Performance MySQL would end up being the perfect encyclopedia of MySQL performance. But as it is, you’re apparently going to have to settle for “very good.” This quote by Sheeri Kritzer Cabral, one of our tech reviewers, really made my day: I gotta hand it to Peter, Vadim, Arjen, and Baron.

Hello everyone, We have several MySQL DBA openings, one in each of our offices in Ottawa, Boston, or Hyderabad, India. (Our Sydney office is doin’ fine.) Working at Pythian is different than working in-house or as a consultant, because you’ll be making your contributions available to each of the customers assigned to your team, allowing you to [...]

Welcome to the 75th edition (a.k.a. the Diamond Edition) of Log Buffer, the weekly review of database blogs. Let’s get things started with some views of the recently finished UKOUG Conference & Exhibition. On blog.gralike.com, Marco Gralike put together a list of articles offering just that, including reporting from Doug Burns, Mark Rittman, Daniel Fink, [...]

On my second blog I stated I would demonstrate a case where a denormalized Star schema is 50 times slower than a normalized data model.  Well, while writing this I looked at the tables again and realized that I didn't have optimal indexes and my statistics weren't optimal.  Yeah, I feel a bit foolish.  Once I fixed those issues there wasn't a performance difference.  I'll go more into this during the post test discussion. 

First, these are the table that will be used to test the performance of the normalized and denormalized data models.  The ProductNormal table represents the normalized table, has 10 million rows, and is about 0.8 gig. 

create table ProductNormal (
     productId int(11) not null,
     productName varchar(32) not null,
     productGroupId int(11) not null,
…

A friend of mine asked me: I’m hoping you can help me out with something — I’m trying to optimize a search feature. Since it uses a MySQL database, the search already uses the LIKE statement to get matches for a search query, we might be needing something more flexible. I found mention on MySQL’s website [...]