|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72346 mysql_query() not subject to max_execution_time()
Submitted: 2016-06-06 16:04 UTC Modified: 2016-06-07 05:50 UTC
From: maggus dot staab at googlemail dot com Assigned:
Status: Not a bug Package: MySQL related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2016-06-06 16:04 UTC] maggus dot staab at googlemail dot com
similar to

A DOS attack vector for SQL injections uses the mysql SELECT SLEEP() command, as it will block a PHP process which is waiting for the mysql result and also one connection to the database itself.

this renders this kind of attack as very effective because you easily can bring either apache/php or mysql above its processlimits.

Additionally the mysql version distributed with ubuntu12lts and ubuntu14lts is not recent enough to contain server side timouts on a per statement basis.

Test script:
$start = time();

    define("DB_HOSTNAME",                    "localhost");
    define("DB_USERNAME",                    "root");
    define("DB_PASSWORD",                    "");
    define("DB_NAME",                        "mysql");

$connection_id = mysql_connect(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD, false);
mysql_query('SELECT SLEEP(5)', $connection_id);

$end = time();

echo $end - $start;

Expected result:
mysql query should be interrupted after 2 seconds with a fatal error

Actual result:
no error, no timeouts triggered.

echos "5"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-06 16:26 UTC] maggus dot staab at googlemail dot com
-Package: *General Issues +Package: *Database Functions
 [2016-06-06 16:26 UTC] maggus dot staab at googlemail dot com
fixed package
 [2016-06-06 23:53 UTC]
-Status: Open +Status: Not a bug -Package: *Database Functions +Package: MySQL related
 [2016-06-06 23:53 UTC]
As the docs for set_time_limit() say, the time limit only measures time spent in the script itself. Database queries are not included because PHP is sleeping while those are running.
Server-side timeouts are the solution.
 [2016-06-07 05:50 UTC] maggus dot staab at googlemail dot com
I agree that server side timeouts help for this kind of situation.

Mysql supports server side statement timeout since 5.7.4, see , which is not bundled on ubuntu 14 lts...

Ubuntu12 and 14 lts both are used pretty frequently but doesnt support this kind of timeouts out of the box :-/
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed May 22 21:01:31 2024 UTC