Subject: | Tainted placeholder value |
Date: | Thu, 1 Nov 2018 12:59:33 -0400 |
To: | bug-DBI [...] rt.cpan.org |
From: | Ted <mp2 [...] netcasters.com> |
Hi,
When the id in the query below is tainted, the avg_score is 0, yet the
count is 2.
- I always thought placeholders didn't care about tainted values?
- If they do, then shouldn't the whole query blow up?
If the selectrow_array is substituted for prepare/execute/fetchrow_array
then there is no problem.
------------------------------------------------------------------------
#!/usr/bin/perl -t
use strict;
use warnings;
use DBI;
use Scalar::Util qw(tainted);
sub taint_string {
my $value = shift;
open my $fh, '<', \$value or die "Can't open: $!";
local $/; # Slurp
return <$fh>;
}
my $dbh = DBI->connect("dbi:mysql:database=xyz",'ux','px');
my $id = 1;
$id = taint_string($id);
my $sql = "SELECT AVG(Score), COUNT(*) FROM zzz_scores where Id >= ?";
my($avg_score, $count) = $dbh->selectrow_array($sql, undef, $id);
if (defined $dbh->err()) { die $dbh->errstr(); }
print "($avg_score, $count)\n";
$dbh->disconnect();
-------------------------------------------------------------------------
CREATE TABLE zzz_scores (
`Id` smallint(5) unsigned NOT NULL DEFAULT '0',
`Score` float DEFAULT NULL,
PRIMARY KEY (Id)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
insert into zzz_scores values(1, 90);
insert into zzz_scores values(5, 100);
-------------------------------------------------------------------------
Perl 5.28
DBI 1.642
MySQL 8.0.12