5

Stored procedure code:

CREATE DEFINER = `root` @`localhost` PROCEDURE `P_CreateUser3` (
  IN _Username NVARCHAR(30), IN _Password NVARCHAR(32), IN _DBName VARCHAR(20))
BEGIN
  CREATE USER _Username @'localhost' IDENTIFIED BY _Password ;
  GRANT SELECT, UPDATE, DELETE, INSERT 
  ON    _DBName.* 
  TO    _Username @'localhost' 
  WITH GRANT OPTION ;
END $$

Error Code: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Password ; GRANT SELECT, UPDATE, DELETE, INSERT ON `pr' at line 6

help me please.

wallyk
  • 56,922
  • 16
  • 83
  • 148
Ebrahim
  • 85
  • 1
  • 9

2 Answers2

4

Unfortunately, the use of stored procedure input parameters as passwords in a CREATE USER or GRANT statement is documented in this bug as unsupported. So you cannot actually do what you attempted.

It would be possible to PREPARE and EXECUTE a statement which is built by CONCAT() to concatenate in the new password, but this is not a secure method and is therefore not recommended. You lose all the security benefits of the stored procedure if you were to do it that way.

Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390
0

You must use prepared statements because the variables doesn't evaluate directly in queries.

DELIMITER $$

DROP PROCEDURE IF EXISTS `create_user`$$

CREATE PROCEDURE `create_user`(
    `user_name` VARCHAR(50), 
    `passwd` VARCHAR(255),
    `ip` VARCHAR(50)
)
BEGIN
   set @sql = concat("CREATE USER '",`user_name`,"'@'",`ip`,"' IDENTIFIED BY '",`passwd`,"'");
   PREPARE stmt1 FROM @sql;
   EXECUTE stmt1;
   DEALLOCATE PREPARE stmt1;

   set @sql = concat("GRANT ALL PRIVILEGES ON * . * TO '",`user_name`,"'@'",`ip`,"' ");
   PREPARE stmt2 FROM @sql;
   EXECUTE stmt2;
   DEALLOCATE PREPARE stmt2;

   FLUSH PRIVILEGES;
END$$

DELIMITER ;
Ivan Cachicatari
  • 4,212
  • 2
  • 21
  • 41