Skip Menu |
 

This queue is for tickets about the DBI CPAN distribution.

Report information
The Basics
Id: 127542
Status: open
Priority: 0/
Queue: DBI

People
Owner: Nobody in particular
Requestors: mp2 [...] netcasters.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Tainted placeholder value
Date: Thu, 1 Nov 2018 12:59:33 -0400
To: bug-DBI [...] rt.cpan.org
From: Ted <mp2 [...] netcasters.com>
Download (untitled) / with headers
text/plain 1.3k
Hi, When the id in the query below is tainted, the avg_score is 0, yet the count is 2. - I always thought placeholders didn't care about tainted values? - If they do, then shouldn't the whole query blow up? If the selectrow_array is substituted for prepare/execute/fetchrow_array then there is no problem. ------------------------------------------------------------------------ #!/usr/bin/perl -t use strict; use warnings; use DBI; use Scalar::Util qw(tainted); sub taint_string {     my $value = shift;     open my $fh, '<', \$value or die "Can't open: $!";     local $/;    # Slurp     return <$fh>; } my $dbh = DBI->connect("dbi:mysql:database=xyz",'ux','px'); my $id = 1; $id = taint_string($id); my $sql = "SELECT AVG(Score), COUNT(*) FROM zzz_scores where Id >= ?"; my($avg_score, $count) = $dbh->selectrow_array($sql, undef, $id); if (defined $dbh->err()) { die $dbh->errstr(); } print "($avg_score, $count)\n"; $dbh->disconnect(); ------------------------------------------------------------------------- CREATE TABLE zzz_scores (   `Id` smallint(5) unsigned NOT NULL DEFAULT '0',   `Score` float DEFAULT NULL,   PRIMARY KEY (Id) ) ENGINE=MyISAM DEFAULT CHARSET=utf8; insert into zzz_scores values(1, 90); insert into zzz_scores values(5, 100); ------------------------------------------------------------------------- Perl 5.28 DBI 1.642 MySQL 8.0.12
Download (untitled) / with headers
text/plain 417b
I'm afraid it works fine for me with DBD::SQLite and an older Perl: $ cat 1 1 $ sqlite3 xx.db SQLite version 3.22.0 2018-01-22 18:45:57 Enter ".help" for usage hints. Show quoted text
sqlite> select * from zzz_scores;
1|90.0 5|100.0 $ perl -t x.pl (95, 2) code the same as what you supplied except the call to DBI->connect. Not saying the problem isn't DBI or tainting but this might help. Martin -- Martin J. Evans Wetherby, UK


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.