From 149a36cc3948030020c8e25d7200002ad1411417 Mon Sep 17 00:00:00 2001 From: hzyy Date: Wed, 14 May 2025 03:44:43 +0200 Subject: [PATCH] fix(mysql): validate parameter count for prepared statements Add validation to ensure the number of provided parameters matches the expected count for MySQL prepared statements. This prevents protocol errors by returning an error if the counts do not match before sending the statement for execution. --- sqlx-mysql/src/connection/executor.rs | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/sqlx-mysql/src/connection/executor.rs b/sqlx-mysql/src/connection/executor.rs index 4f5af4bf6d..d08d78147c 100644 --- a/sqlx-mysql/src/connection/executor.rs +++ b/sqlx-mysql/src/connection/executor.rs @@ -123,6 +123,14 @@ impl MySqlConnection { .get_or_prepare_statement(sql) .await?; + if arguments.types.len() != metadata.parameters { + return Err(Error::Protocol(format!( + "Prepared statement expected {} parameters but {} parameters were provided", + metadata.parameters, + arguments.types.len() + ))); + } + // https://dev.mysql.com/doc/internals/en/com-stmt-execute.html self.inner.stream .send_packet(StatementExecute { @@ -137,6 +145,14 @@ impl MySqlConnection { .prepare_statement(sql) .await?; + if arguments.types.len() != metadata.parameters { + return Err(Error::Protocol(format!( + "Prepared statement expected {} parameters but {} parameters were provided", + metadata.parameters, + arguments.types.len() + ))); + } + // https://dev.mysql.com/doc/internals/en/com-stmt-execute.html self.inner.stream .send_packet(StatementExecute {