Bug #101561 for Apache2-AuthCookieDBI: AuthCookieDBI 2.17 breaks with non-MySQL databases

Thu Jan 15 08:36:07 2015 peter [...] emkel.co.za - Ticket created

Subject:	AuthCookieDBI 2.17 breaks with non-MySQL databases
Date:	Thu, 15 Jan 2015 15:34:47 +0200
To:	<bug-Apache2-AuthCookieDBI [...] rt.cpan.org>
From:	"Peter Gibbs" <peter [...] emkel.co.za>

Hi, There was a 'bug fix' make in AuthCookieDBI 2.17 which added backticks around identifiers in the SQL statements. This presumably works nicely for mysql, but breaks other databases. For example, postgresql uses double quotes rather than backticks to quote identifier names. The DBI module has a method "quote_identifier" which can be used to quote identifiers appropriately for the database in use, which would seem to be a better solution. For example: my $sql_query = <<"SQL"; SELECT `$c{'DBI_PasswordField'}` FROM `$c{'DBI_UsersTable'}` WHERE `$c{'DBI_UserField'}` = ? AND (`$c{'DBI_PasswordField'}` != '' AND `$c{'DBI_PasswordField'}` IS NOT NULL) SQL could be rewritten as: my $PasswordField = $dbh->quote_identifier($c{'DBI_PasswordField'}); my $UsersTable = $dbh->quote_identifier($c{'DBI_UsersTable'}); my $UsersField = $dbh->quote_identifier($c{'DBI_UsersField'}); my $sql_query = <<"SQL"; SELECT $PasswordField FROM $UsersTable WHERE $UserField = ? AND ($PasswordField != '' AND $PasswordField IS NOT NULL) SQL Regards, Peter Gibbs

Tue Apr 07 10:24:24 2015 matisse [...] spamcop.net - Status changed from 'new' to 'patched'

Tue Apr 07 10:24:25 2015 matisse [...] spamcop.net - Taken

Tue Apr 07 10:24:26 2015 matisse [...] spamcop.net - Severity Important added

Tue Apr 07 10:24:27 2015 matisse [...] spamcop.net - Broken in 2.17 added

Tue Apr 07 10:25:41 2015 matisse [...] spamcop.net - Correspondence added

Patch in merge of pull request: https://github.com/matisse/Apache-AuthCookieDBI/commit/fb49edd229d35e4ed2ca67517a45f32c8d738d68

Wed Mar 23 16:43:45 2016 TIMB [...] cpan.org - Correspondence added

FWIW I just hit this at $work.