Search

Loop-hole where non-existant column isn't properly evaluated by Zer0n3

Closed
as By Design Help for as By Design

0
0
Sign in
 to vote
Type: Bug
ID: 392492
Opened: 1/8/2009 4:32:35 PM
Access Restriction: Public
0
Workaround(s)
0
User(s) can reproduce this bug
We stumbled upon an odd issue which I repeatedly tested and confirmed on SQL 2000, 2005 and 2008.

It seems you can accidentally trick the evaluator in creating a left join with no predicate which results in returning all rows instead of returning the proper error "Invalid column name ''."

Here is an easy to test example:

select colid from sysobjects;

We know this will fail since the column 'colid' doesn't exist in sysobjects, this is how the evaluator should work.

Now try this:

select colid from syscolumns where colid in (select colid from sysobjects) ;

This should fail but it actually doesn't evaluate correctly even though the column 'colid' doesn't exist in the sysobjects table. The result from running the above query is that ALL rows from 'syscolumns' are returned. In the execution plan you will find a 'Nested Loops' with a warning about 'No join predicate'.

Results by returning *all* the rows from the syscolumns table.

I used sysobjects and syscolumns in this example for ease of testing on any system but we actually encountered this with one of our application databases in our QA environment.

The only way to duplicate this is where the column referenced in the where clause is named identically to the column used in the sub-select (but doesn't actually exist in the sub table) "select * from tableA where COLUMN1234 in (select COLUMN1234 from tableB)"
Details (expand)
Product Language
English

Version

SQL Server 2008 - Enterprise Edition

Category

SQL Engine

Operating System

Not Applicable
Operating System Language
Not Applicable
Steps to Reproduce
select colid from syscolumns where colid in (select colid from sysobjects)



Actual Results
Results by returning *all* the rows from the syscolumns table.

Expected Results
The evaluator should have caught the run-time error.


Msg 207, level 16, State 1, Line 2
Invalid column name 'colid'.

Platform

 
File Attachments
0 attachments
Sign in to post a comment.
Posted by Microsoft on 1/9/2009 at 5:21 PM
As the other person said, this is a correlated subquery and the behavior is correct. You can refer to columns from the outer scope in the correlated subquery, which is colid in your query.

You can read more about correlated queries here: http://msdn.microsoft.com/en-us/library/ms187638.aspx
Posted by Adam Machanic on 1/8/2009 at 7:22 PM
This is not a bug; it's actually correct behavior per ANSI SQL. The problem is that you're accidentally creating a correlated subquery without realizing as much. The query processor looked for any "colid" columns available in the scope of the subquery, and found the column from the outer table. Since you didn't use a table prefix, that's expected behavior. To avoid these problems going forward, make sure to always use prefixes. It has the side benefit of making your code much easier to read!
Sign in to post a workaround.
© 2013 Microsoft Corporation. All rights reserved. Microsoft Connect Terms of Use | Trademarks | Privacy Statement