MariaDB · vuvova · Jan 14, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result
@@ -122,6 +122,13 @@ GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
 SET PASSWORD FOR u1 = PASSWORD('pwd 098');
 CREATE USER u3 IDENTIFIED BY '';
 ALTER USER u3 IDENTIFIED BY 'pwd-456';
+GRANT SELECT ON sa_db.* TO pwd_test1 IDENTIFIED BY 'grantpwd789';
+CHANGE MASTER TO MASTER_HOST='127.0.0.1', MASTER_USER='repl', MASTER_PASSWORD='replsecret';
+CREATE SERVER pwd_server FOREIGN DATA WRAPPER mysql OPTIONS (HOST 'localhost', USER 'remote', PASSWORD 'serverpwd');
+ALTER SERVER pwd_server OPTIONS (PASSWORD 'newserverpwd');
+DROP USER pwd_test1;
+DROP SERVER pwd_server;
+RESET SLAVE ALL;
 drop user u1, u2, u3;
 set global server_audit_events='query_ddl';
 create table t1(id int);
@@ -177,6 +184,43 @@ select 2;
 /*comment*/ select 2;
 2
 2
+with foo as (select 1) select 6;
+6
+6
+values (7, 'a'), (8, 'b');
+7	a
+7	a
+8	b
+#
+# Certain usage of comments and control characters in query strings bypass audit
+# logging when filtering in QUERY_{DCL/DML/DDL} mode
+#
+-- A comment
+select 1;
+1
+1
+--A comment
+select 2;
+2
+2
+# A comment
+select 3;
+3
+3
+/*! SELECT 4 */;
+4
+4
+/*M! SELECT 5 */;
+5
+5
+/*!100100 SELECT 6 */;
+6
+6
+/*!999999 SELECT 'should not log' */;
+/*M!100100 SELECT 7 */;
+7
+7
+/*M!999999 SELECT 'should not log' */;
 drop table t1;
 set global server_audit_events='query_dcl';
 create table t1(id int);
@@ -417,6 +461,25 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY ***
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,global_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'ALTER USER u3 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,global_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT SELECT ON sa_db.* TO pwd_test1 IDENTIFIED BY *****',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CHANGE MASTER TO MASTER_HOST=\'127.0.0.1\', MASTER_USER=\'repl\', MASTER_PASSWORD=*****',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,servers,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE SERVER pwd_server FOREIGN DATA WRAPPER mysql OPTIONS (HOST \'localhost\', USER \'remote\', PASSWORD *****)',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,servers,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'ALTER SERVER pwd_server OPTIONS (PASSWORD *****)',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,proxies_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,roles_mapping,
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,global_priv,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP USER pwd_test1',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,servers,
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'DROP SERVER pwd_server',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'RESET SLAVE ALL',0
+TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,db,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,tables_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,columns_priv,
 TIME,HOSTNAME,root,localhost,ID,ID,WRITE,mysql,procs_priv,
@@ -441,6 +504,15 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'select 2',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'(select 2)',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*! select 2*/',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*comment*/ select 2',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'with foo as (select 1) select 6',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'values (7, \'a\'), (8, \'b\')',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'-- A comment\nselect 1',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'--A comment\nselect 2',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'# A comment\nselect 3',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*! SELECT 4 */',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*M! SELECT 5 */',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*!100100 SELECT 6 */',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*M!100100 SELECT 7 */',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u1 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT ALL ON sa_db TO u2 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0

diff --git a/mysql-test/suite/plugins/t/server_audit.test b/mysql-test/suite/plugins/t/server_audit.test
@@ -102,6 +102,13 @@ GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
 SET PASSWORD FOR u1 = PASSWORD('pwd 098');
 CREATE USER u3 IDENTIFIED BY '';
 ALTER USER u3 IDENTIFIED BY 'pwd-456';
+GRANT SELECT ON sa_db.* TO pwd_test1 IDENTIFIED BY 'grantpwd789';
+CHANGE MASTER TO MASTER_HOST='127.0.0.1', MASTER_USER='repl', MASTER_PASSWORD='replsecret';
+CREATE SERVER pwd_server FOREIGN DATA WRAPPER mysql OPTIONS (HOST 'localhost', USER 'remote', PASSWORD 'serverpwd');
+ALTER SERVER pwd_server OPTIONS (PASSWORD 'newserverpwd');
+DROP USER pwd_test1;
+DROP SERVER pwd_server;
+RESET SLAVE ALL;
 drop user u1, u2, u3;
 
 set global server_audit_events='query_ddl';
@@ -133,6 +140,31 @@ select 2;
 (select 2);
 /*! select 2*/;
 /*comment*/ select 2;
+with foo as (select 1) select 6;
+values (7, 'a'), (8, 'b');
+
+--echo #
+--echo # Certain usage of comments and control characters in query strings bypass audit
+--echo # logging when filtering in QUERY_{DCL/DML/DDL} mode
+--echo #
+
+query -- A comment
+select 1;
+
+query --A comment
+select 2;
+
+query # A comment
+select 3;
+
+query /*! SELECT 4 */;
+query /*M! SELECT 5 */;
+
+query /*!100100 SELECT 6 */;
+query /*!999999 SELECT 'should not log' */;
+query /*M!100100 SELECT 7 */;
+query /*M!999999 SELECT 'should not log' */;
+
 drop table t1;
 set global server_audit_events='query_dcl';
 create table t1(id int);

diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c
@@ -1686,20 +1686,10 @@ static int log_statement_ex(const struct connection_info *cn,
   if (query && !(events & EVENT_QUERY_ALL) &&
       (events & EVENT_QUERY && !cn->log_always))
   {
-    const char *orig_query= query;
-
-    if (events & EVENT_QUERY_DDL && cmdtype & EVENT_QUERY_DDL)
-      goto do_log_query;
-    if (events & EVENT_QUERY_DML && cmdtype & EVENT_QUERY_DML)
-      goto do_log_query;
-    if (events & EVENT_QUERY_DML_NO_SELECT && cmdtype & EVENT_QUERY_DML_NO_SELECT)
-      goto do_log_query;
-    if (events & EVENT_QUERY_DCL && cmdtype & EVENT_QUERY_DCL)
-      goto do_log_query;
-
-    return 0;
-do_log_query:
-    query= orig_query;
+    if (!(events & cmdtype &
+          (EVENT_QUERY_DDL | EVENT_QUERY_DML | EVENT_QUERY_DML_NO_SELECT |
+           EVENT_QUERY_DCL)))
+      return 0;
   }
 
   csize= log_header(message, message_size-1, &ev_time,