Test (and fix) handling of undefined parameters.

Author: bgrainger

src/MySqlConnector/Core/PreparedStatementCommandExecutor.cs

@@ -68,6 +68,10 @@ private PayloadData CreateQueryPayload(PreparedStatement preparedStatement, MySq
 				{
 					var parameterName = preparedStatement.Statement.ParameterNames[i];
 					var parameterIndex = parameterName != null ? parameterCollection.NormalizedIndexOf(parameterName) : preparedStatement.Statement.ParameterIndexes[i];
+					if (parameterIndex == -1 && parameterName != null)
+						throw new MySqlException("Parameter '{0}' must be defined.".FormatInvariant(parameterName));
+					else if (parameterIndex < 0 || parameterIndex >= parameterCollection.Count)
+						throw new MySqlException("Parameter index {0} is invalid when only {1} parameter{2} defined.".FormatInvariant(parameterIndex, parameterCollection.Count, parameterCollection.Count == 1 ? " is" : "s are"));
 					parameters[i] = parameterCollection[parameterIndex];
 				}
 

src/MySqlConnector/Core/StatementPreparer.cs

@@ -53,6 +53,8 @@ private int GetParameterIndex(string name)
 
 		private MySqlParameter GetInputParameter(int index)
 		{
+			if (index >= m_parameters.Count)
+				throw new MySqlException("Parameter index {0} is invalid when only {1} parameter{2} defined.".FormatInvariant(index, m_parameters.Count, m_parameters.Count == 1 ? " is" : "s are"));
 			var parameter = m_parameters[index];
 			if (parameter.Direction != ParameterDirection.Input && (m_options & StatementPreparerOptions.AllowOutputParameters) == 0)
 				throw new MySqlException("Only ParameterDirection.Input is supported when CommandType is Text (parameter name: {0})".FormatInvariant(parameter.ParameterName));

tests/SideBySide/CommandTests.cs

@@ -172,6 +172,68 @@ public void IgnoreCommandTransactionIgnoresDifferentTransaction()
 			}
 		}
 
+		[Fact]
+		public void ThrowsIfNamedParameterUsedButNoParametersDefined()
+		{
+			using (var connection = new MySqlConnection(AppConfig.ConnectionString))
+			{
+				connection.Open();
+				using (var cmd = new MySqlCommand("SELECT @param;", connection))
+				{
+					Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+				}
+			}
+		}
+
+		[Fact]
+		public void ThrowsIfUnnamedParameterUsedButNoParametersDefined()
+		{
+			using (var connection = new MySqlConnection(AppConfig.ConnectionString))
+			{
+				connection.Open();
+				using (var cmd = new MySqlCommand("SELECT ?;", connection))
+				{
+#if BASELINE
+					Assert.Throws<IndexOutOfRangeException>(() => cmd.ExecuteScalar());
+#else
+					Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+#endif
+				}
+			}
+		}
+
+		[Fact]
+		public void ThrowsIfUndefinedNamedParameterUsed()
+		{
+			using (var connection = new MySqlConnection(AppConfig.ConnectionString))
+			{
+				connection.Open();
+				using (var cmd = new MySqlCommand("SELECT @param;", connection))
+				{
+					cmd.Parameters.AddWithValue("@name", "test");
+					Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+				}
+			}
+		}
+
+		[Fact]
+		public void ThrowsIfTooManyUnnamedParametersUsed()
+		{
+			using (var connection = new MySqlConnection(AppConfig.ConnectionString))
+			{
+				connection.Open();
+				using (var cmd = new MySqlCommand("SELECT ?, ?;", connection))
+				{
+					cmd.Parameters.Add(new MySqlParameter { Value = 1 });
+#if BASELINE
+					Assert.Throws<IndexOutOfRangeException>(() => cmd.ExecuteScalar());
+#else
+					Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+#endif
+				}
+			}
+		}
+
 		private static string GetIgnoreCommandTransactionConnectionString()
 		{
 #if BASELINE

tests/SideBySide/PreparedCommandTests.cs

@@ -166,6 +166,60 @@ public void PreparedCommandIsCached()
 			}
 		}
 
+		[Fact]
+		public void ThrowsIfNamedParameterUsedButNoParametersDefined()
+		{
+			using (var connection = CreatePrepareConnection())
+			using (var cmd = new MySqlCommand("SELECT @param;", connection))
+			{
+#if BASELINE
+				Assert.Throws<InvalidOperationException>(() => cmd.Prepare());
+#else
+				cmd.Prepare();
+				Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+#endif
+			}
+		}
+
+		[Fact]
+		public void ThrowsIfUnnamedParameterUsedButNoParametersDefined()
+		{
+			using (var connection = CreatePrepareConnection())
+			using (var cmd = new MySqlCommand("SELECT ?;", connection))
+			{
+				cmd.Prepare();
+				Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+			}
+		}
+
+		[Fact]
+		public void ThrowsIfUndefinedNamedParameterUsed()
+		{
+			using (var connection = CreatePrepareConnection())
+			using (var cmd = new MySqlCommand("SELECT @param;", connection))
+			{
+				cmd.Parameters.AddWithValue("@name", "test");
+#if BASELINE
+				Assert.Throws<InvalidOperationException>(() => cmd.Prepare());
+#else
+				cmd.Prepare();
+				Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+#endif
+			}
+		}
+
+		[Fact]
+		public void ThrowsIfTooManyUnnamedParametersUsed()
+		{
+			using (var connection = CreatePrepareConnection())
+			using (var cmd = new MySqlCommand("SELECT ?, ?;", connection))
+			{
+				cmd.Parameters.Add(new MySqlParameter { Value = 1 });
+				cmd.Prepare();
+				Assert.Throws<MySqlException>(() => cmd.ExecuteScalar());
+			}
+		}
+
 		public static IEnumerable<object[]> GetInsertAndQueryData()
 		{
 			foreach (var isPrepared in new[] { false, true })