MySQL directory parameters are limited and differ from the docs and other backends

jmw · June 25, 2026, 9:32pm

Issue Description

At the very least, this is a documentation bug because the current description of query parameters in the SQL directory docs (stalw.art/docs/auth/backend/sql/#directory-queries) is incorrect for the MySQL variant. The query params described there are in the Postgres style $1 and don’t work for MariaDB or MySQL, producing the error:

Server error: `ERROR 42S22 (1054): Unknown column '$1' in 'where clause''

MySQL query params take the format ? instead and are purely positional, they cannot be used multiple times or out of order. I suggest the relevant section of the docs (and the query defaults) be rewritten as follows:

The SQL variant runs the following queries against the configured store; all of them use positional parameters and sensible defaults that can be overridden per deployment. Postgres users can use the positional parameter in the format $1 and the default queries as written. MySQL and MariaDB users must modify the default queries to use a ? as their positional parameter and may only use it once per query.

In addition I feel the MySQL/MariaDB query parameters as currently implemented are inadequate. The params are purely positional and must match the number of parameters passed to the query, which is one. That’s fine if you are preparing the schema to fit Stalwart exactly, however most people who need to resort to external directories are probably doing so because they already have the data in a format they can’t change and must adapt to, and giving them the tools to be able to adapt is vital.

In my case, here’s the login query I need to execute:

SELECT email, password, 'individual' as type, name FROM mail_user WHERE (login = ? OR email = ?) AND server_id = '1' AND NOT EXISTS (SELECT domain_id FROM mail_domain WHERE domain = SUBSTRING_INDEX(?, '@', -1) AND active = 'n' AND server_id = 1)

However because I use 3 parameters I get the error:

Driver error: `Statement takes 3 parameters but 1 was supplied.'

A workaround is to use a derived table like this:

SELECT mu.email, mu.password, 'individual' AS type, mu.name FROM (SELECT ? AS login_value) AS p JOIN mail_user AS mu WHERE (mu.login = p.login_value OR mu.email = p.login_value) AND mu.server_id = '1' AND NOT EXISTS (SELECT md.domain_id FROM mail_domain AS md WHERE md.domain = SUBSTRING_INDEX(p.login_value, '@', -1) AND md.active = 'n' AND md.server_id = 1)

But it’s not ideal and very limiting.

I think there’s enough repeated issues with this behaviour that it warrants addressing, see:

github.com/stalwartlabs/stalwart

🚀: Support Multiple Keys/Parameters in SQL Queries

opened 08:32AM - 04 Sep 25 UTC

closed 08:34AM - 07 Sep 25 UTC

flajr

enhancement

### Which feature or improvement would you like to request? Currently, Stalwart…’s SQL query handling appears to only support queries with a single parameter key (one `?` placeholder). Please implement support for multiple parameter keys inside SQL queries. The query execution logic should allow passing a list/array of arguments that match the number of `?` placeholders in the query string. For example: ```sql SELECT * FROM users WHERE domain = ? AND name = ? AND mailbox = ? ``` should accept three separate arguments and properly substitute them for each key. With multiple placeholders, we could utilize eg. sql's built in `SUBSTRING_INDEX` to get specific domain or mailbox name. ## Why? - Many SQL queries require filtering or joining on multiple columns, which necessitates multiple parameters. - Supporting multi-key queries will greatly increase the flexibility and power of Stalwart’s SQL backend integration. Thank you for considering this enhancement! ### Is your feature request related to a problem? When attempting to use queries with multiple keys, only one parameter is supplied, resulting in driver errors such as: ``` Driver error: `Statement takes 3 parameters but 1 was supplied.` ``` ### Code of Conduct - [x] I agree to follow this project's Code of Conduct

github.com/stalwartlabs/stalwart

[bug]: query function does not construct valid SQL statements with query values

opened 09:18AM - 20 May 24 UTC

closed 12:03PM - 19 Jun 26 UTC

ljuti

bug

### What happened? While writing Sieve scripts that take advantage of `query`… function, I noticed that the function does not correctly construct statements with query values. The workaround for this bug is to construct a ready-made statement in Sieve for the query function and call it, for example ``` set "query_string" "SELECT 1 FROM forwardings WHERE domain = '${domain_name}' LIMIT 1"; query('sql', query_string, []); ``` ### How can we reproduce the problem? I can reproduce the problem by doing the following steps: 1. Configure a PostgreSQL store as a lookup store. 2. Create a table to query and add rows to it. 3. Have a Sieve script at DATA stage attempting to query the lookup store `query('sql', 'SELECT 1 FROM forwardings WHERE domain = ? LIMIT 1', [domain_name])` ### Expected result: Query returns `Ok(Rows { rows: [Row { values: [Integer(1)] }] })` ### Actual result: Query returns `Err(InternalError("PostgreSQL error: db error: ERROR: syntax error at or near \"LIMIT\""))` ### Version v0.7.x ### What database are you using? PostgreSQL ### What blob storage are you using? PostgreSQL ### Where is your directory located? SQL ### What operating system are you using? Docker ### Relevant log output ```shell 2024-05-19T18:47:22.087550Z TRACE store::dispatch::lookup: context="store" event="query" query="SELECT 1 FROM forwardings WHERE domain = ? LIMIT 1" result=Err(InternalError("PostgreSQL error: db error: ERROR: syntax error at or near \"LIMIT\"")) ``` ### Code of Conduct - [X] I agree to follow this project's Code of Conduct

support.stalw.art/t/authentication-agains-external-sql-mariadb-directory-not-working/554/3

I wonder if you can use named parameters as described in the mysql_async docs (docs.rs/mysql_async/latest/mysql_async/#named-parameters) as there’s only a single parameter, is the library clever enough to work out that ? or $1 is the only named parameter or if that would break existing queries.

Expected Behavior

Repeated use of the login username parameter should be permitted in MySQL directory as it is in the Postgres directory.

Actual Behavior

Using ? more than once in a SQL query results in the error:

Driver error: `Statement takes 3 parameters but 1 was supplied.

Reproduction Steps

Configure stalwart with a SQL authentication directory to MySQL or MariaDB.
Configure the default queries and observe they don’t work on MySQL or MariaDB because they are written for PostgreSQL.
Configure a slightly more complex login query that uses more than one parameter ?
Observe that the logs show too many positional parameters were given.

Relevant Log Output

Server error: `ERROR 42S22 (1054): Unknown column '$1' in 'where clause''

Driver error: `Statement takes 3 parameters but 1 was supplied.'

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

MySQL

Blob Storage

Filesystem

Search Engine

Internal

Directory Backend

SQL

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

helpbot · June 25, 2026, 9:32pm

Let me look into the SQL directory documentation and the relevant source code to give an informed response.

This is a well-documented and clearly-reproducible issue. Here is what the source code confirms, along with what your workaround correctly identifies:

The issue is real and confirmed in the source code. The MySQL backend uses Params::Positional(params.iter().map(Into::into).collect()) from mysql_async, and the directory lookup code always passes exactly one value (e.g. vec![username.into()]) to every query. Since MySQL’s ? placeholders must each be matched by a parameter, a query containing multiple ? will cause the “Statement takes N parameters but 1 was supplied” error.

Your diagnosis is correct on all points:

Documentation bug: The docs show $1-style parameters which is PostgreSQL syntax. MySQL requires ? instead.
Functional limitation: Because the directory layer only ever supplies one bound value per query, MySQL users cannot repeat the same parameter by using ? more than once, unlike PostgreSQL where $1 can appear multiple times freely.
Your derived-table workaround (SELECT ? AS login_value) is the correct workaround given the current implementation, as it reduces the number of ? placeholders to one.

The named-parameter approach from mysql_async you linked to (:name syntax) would theoretically allow the same value to be referenced multiple times in a query while still only supplying one bound value. Whether it could be adopted without breaking existing queries is a question for the maintainers, but it is architecturally plausible.

This is a confirmed documentation bug plus a real functional limitation. It will need a human maintainer to address the fix on the source side and update the docs. Your derived-table workaround is the best available option until then.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

Topic		Replies	Views
Subaddress and sql directory Issues	17	38	June 6, 2026
Authentication agains external SQL (MariaDB) directory not working Issues	2	16	June 5, 2026
Quota with SQL directory no longer supported? Questions	2	13	June 19, 2026
Database migration Questions	10	136	May 28, 2026
Clarify PostgreSQL user permissions in the documentation Questions	3	29	May 11, 2026