This queue is for tickets about the DBI CPAN distribution.

Report information
The Basics
Id:
127542
Status:
open
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
mp2 [...] netcasters.com
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Tainted placeholder value
Date: Thu, 1 Nov 2018 12:59:33 -0400
To: bug-DBI@rt.cpan.org
From: Ted <mp2@netcasters.com>
Hi,

When the id in the query below is tainted, the avg_score is 0, yet the
count is 2.

- I always thought placeholders didn't care about tainted values?
- If they do, then shouldn't the whole query blow up?

If the selectrow_array is substituted for prepare/execute/fetchrow_array
then there is no problem.

------------------------------------------------------------------------

#!/usr/bin/perl -t
use strict;
use warnings;
use DBI;
use Scalar::Util qw(tainted);

sub taint_string {
    my $value = shift;
    open my $fh, '<', \$value or die "Can't open: $!";
    local $/;    # Slurp
    return <$fh>;
}

my $dbh = DBI->connect("dbi:mysql:database=xyz",'ux','px');

my $id = 1;
$id = taint_string($id);

my $sql = "SELECT AVG(Score), COUNT(*) FROM zzz_scores where Id >= ?";

my($avg_score, $count) = $dbh->selectrow_array($sql, undef, $id);

if (defined $dbh->err()) { die $dbh->errstr(); }

print "($avg_score, $count)\n";

$dbh->disconnect();

-------------------------------------------------------------------------

CREATE TABLE zzz_scores (
  `Id` smallint(5) unsigned NOT NULL DEFAULT '0',
  `Score` float DEFAULT NULL,
  PRIMARY KEY (Id)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

insert into zzz_scores values(1, 90);
insert into zzz_scores values(5, 100);

-------------------------------------------------------------------------

Perl 5.28
DBI 1.642
MySQL 8.0.12

I'm afraid it works fine for me with DBD::SQLite and an older Perl: $ cat 1 1 $ sqlite3 xx.db SQLite version 3.22.0 2018-01-22 18:45:57 Enter ".help" for usage hints.
Show quoted text
sqlite> select * from zzz_scores;
1|90.0 5|100.0 $ perl -t x.pl (95, 2) code the same as what you supplied except the call to DBI->connect. Not saying the problem isn't DBI or tainting but this might help. Martin -- Martin J. Evans Wetherby, UK


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.