Skip Menu |
 

This queue is for tickets about the DBD-SQLite CPAN distribution.

Report information
The Basics
Id: 23242
Status: resolved
Priority: 0/
Queue: DBD-SQLite

People
Owner: Nobody in particular
Requestors: ckatz [...] cfa.harvard.edu
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: "Unknown named parameter" when binding tainted parameter
Date: Tue, 14 Nov 2006 08:54:33 -0500
To: bug-DBD-SQLite [...] rt.cpan.org
From: Charlie Katz <ckatz [...] cfa.harvard.edu>
Download (untitled) / with headers
text/plain 1.1k
With perl in taint mode, executing a SQL statement with a tainted parameter argument causes "Unknown named parameter". This situation occurs when accessing SQLite via Class::DBI under mod_perl, for example. I don't understand enough about the internals to know for sure that this is a DBD::SQLite bug, but the problem does not occur with DBD::SQLite2, with all other code identical. Thanks for your attention. ---------------------------------------------------------------------------------------------------------------------------------- #!/usr/bin/perl -wT # % sqlite3 test_case.sqlite3 # sqlite> CREATE TABLE example ( id INTEGER ); # sqlite> INSERT INTO example VALUES(1); # sqlite> ^D use DBI; use Taint 'taint'; my $dbh = DBI->connect('dbi:SQLite:test_case.sqlite3'); # # with DBI->connect('dbi:SQLite2:test_case.sqlite2'); # and a SQLite2 database, no error my $sth = $dbh->prepare("SELECT * FROM example WHERE id=?"); my $val = 1; taint $val; $sth->execute($val); --------------------------------------------------------------------------------------------------------------------------------- Linux 2.6.15-23-686 perl 5.8.7 DBI 1.52 DBD::SQLite 1.13
From: ckatz [...] cfa.harvard.edu
Download (untitled) / with headers
text/plain 1.3k
This behavior appears to be new in DBD-SQLite 1.13. I've tried 1.12 and 1.11 and the problem hasn't appeared. On Tue Nov 14 08:54:58 2006, ckatz@cfa.harvard.edu wrote: Show quoted text
> With perl in taint mode, executing a SQL statement with a tainted > parameter > argument causes "Unknown named parameter". This situation occurs when > accessing SQLite via Class::DBI under mod_perl, for example. > > I don't understand enough about the internals to know for sure that > this is a > DBD::SQLite bug, but the problem does not occur with DBD::SQLite2, > with all > other code identical. > > Thanks for your attention. > >
---------------------------------------------------------------------------------------------------------------------------------- Show quoted text
> #!/usr/bin/perl -wT > > # % sqlite3 test_case.sqlite3 > # sqlite> CREATE TABLE example ( id INTEGER ); > # sqlite> INSERT INTO example VALUES(1); > # sqlite> ^D > > use DBI; > use Taint 'taint'; > > my $dbh = DBI->connect('dbi:SQLite:test_case.sqlite3'); > # > # with DBI->connect('dbi:SQLite2:test_case.sqlite2'); > # and a SQLite2 database, no error > > my $sth = $dbh->prepare("SELECT * FROM example WHERE id=?"); > > my $val = 1; > taint $val; > $sth->execute($val); >
--------------------------------------------------------------------------------------------------------------------------------- Show quoted text
> > Linux 2.6.15-23-686 > perl 5.8.7 > DBI 1.52 > DBD::SQLite 1.13
Subject: [rt.cpan.org #23242] Patch in Debian BTS
Date: Fri, 4 May 2007 13:42:34 +0200
To: bug-DBD-SQLite [...] rt.cpan.org
From: gregor herrmann <gregor+debian [...] comodo.priv.at>
Download (untitled) / with headers
text/plain 428b
This bug was also found by a Debian user who also provides a patch. For details please take a look at http://bugs.debian.org/422209 Cheers, gregor (Debian Perl Group) -- .''`. http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4 : :' : debian: the universal operating system - http://www.debian.org/ `. `' member of https://www.vibe.at/ | how to reply: http://got.to/quote/ `- NP: The Doors: Riders On The Storm
Download signature.asc
application/pgp-signature 189b

Message body not shown because it is not plain text.

Fixed in svn.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.