On 8/27/07, Yuri Astrakhan yuriastrakhan@gmail.com wrote:
Gregory, thanks for the warning. The toolserver will not work for this - its using MySQL 5, which optimizes everything very differently. Plus it is using views instead of tables - again, there are some optimization bugs associated with that. This really has to be on the main wiki - this way we could even compare a large wiki vs a small wiki query optimizations.
It probably wouldn't be a huge security risk to open up a slave to this, but I don't expect it to happen anytime soon.
One solution would be to disable regex - most queries don't need that.
Er, what? The query doesn't depend on regex:
mysql> EXPLAIN SELECT * FROM user WHERE user_name='Simetrical' AND SUBSTRING(user_password, 1, 1) BETWEEN '8' AND 'f'; +----+-------------+-------+-------+---------------+-----------+---------+-------+------+-------+ | id | select_type | table | type | possible_keys | key | key_len | ref | rows | Extra | +----+-------------+-------+-------+---------------+-----------+---------+-------+------+-------+ | 1 | SIMPLE | user | const | user_name | user_name | 257 | const | 1 | | +----+-------------+-------+-------+---------------+-----------+---------+-------+------+-------+ 1 row in set (0.00 sec)
mysql> EXPLAIN SELECT * FROM user WHERE user_name='Simetrical' AND SUBSTRING(user_password, 1, 1) BETWEEN '8' AND 'f'; +----+-------------+-------+-------+---------------+-----------+---------+-------+------+-------+ | id | select_type | table | type | possible_keys | key | key_len | ref | rows | Extra | +----+-------------+-------+-------+---------------+-----------+---------+-------+------+-------+ | 1 | SIMPLE | user | const | user_name | user_name | 257 | const | 1 | | +----+-------------+-------+-------+---------------+-----------+---------+-------+------+-------+ 1 row in set (0.00 sec)
You could do the same thing like LIKE, or with any number of other string functions.
I guess we can make a list of prohibited fields/tables.
The only feasible option.