Skip Menu |

This queue is for tickets about the DBD-SQLite CPAN distribution.

Report information
The Basics
Id: 23242
Status: resolved
Priority: 0/
Queue: DBD-SQLite

People
Owner: Nobody in particular
Requestors: ckatz [...] cfa.harvard.edu
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: "Unknown named parameter" when binding tainted parameter
Date: Tue, 14 Nov 2006 08:54:33 -0500
To: bug-DBD-SQLite [...] rt.cpan.org
From: Charlie Katz <ckatz [...] cfa.harvard.edu>
With perl in taint mode, executing a SQL statement with a tainted parameter argument causes "Unknown named parameter". This situation occurs when accessing SQLite via Class::DBI under mod_perl, for example. I don't understand enough about the internals to know for sure that this is a DBD::SQLite bug, but the problem does not occur with DBD::SQLite2, with all other code identical. Thanks for your attention. ---------------------------------------------------------------------------------------------------------------------------------- #!/usr/bin/perl -wT # % sqlite3 test_case.sqlite3 # sqlite> CREATE TABLE example ( id INTEGER ); # sqlite> INSERT INTO example VALUES(1); # sqlite> ^D use DBI; use Taint 'taint'; my $dbh = DBI->connect('dbi:SQLite:test_case.sqlite3'); # # with DBI->connect('dbi:SQLite2:test_case.sqlite2'); # and a SQLite2 database, no error my $sth = $dbh->prepare("SELECT * FROM example WHERE id=?"); my $val = 1; taint $val; $sth->execute($val); --------------------------------------------------------------------------------------------------------------------------------- Linux 2.6.15-23-686 perl 5.8.7 DBI 1.52 DBD::SQLite 1.13
From: ckatz [...] cfa.harvard.edu
This behavior appears to be new in DBD-SQLite 1.13. I've tried 1.12 and 1.11 and the problem hasn't appeared. On Tue Nov 14 08:54:58 2006, ckatz@cfa.harvard.edu wrote: Show quoted text
> With perl in taint mode, executing a SQL statement with a tainted > parameter > argument causes "Unknown named parameter". This situation occurs when > accessing SQLite via Class::DBI under mod_perl, for example. > > I don't understand enough about the internals to know for sure that > this is a > DBD::SQLite bug, but the problem does not occur with DBD::SQLite2, > with all > other code identical. > > Thanks for your attention. > >
---------------------------------------------------------------------------------------------------------------------------------- Show quoted text
> #!/usr/bin/perl -wT > > # % sqlite3 test_case.sqlite3 > # sqlite> CREATE TABLE example ( id INTEGER ); > # sqlite> INSERT INTO example VALUES(1); > # sqlite> ^D > > use DBI; > use Taint 'taint'; > > my $dbh = DBI->connect('dbi:SQLite:test_case.sqlite3'); > # > # with DBI->connect('dbi:SQLite2:test_case.sqlite2'); > # and a SQLite2 database, no error > > my $sth = $dbh->prepare("SELECT * FROM example WHERE id=?"); > > my $val = 1; > taint $val; > $sth->execute($val); >
--------------------------------------------------------------------------------------------------------------------------------- Show quoted text
> > Linux 2.6.15-23-686 > perl 5.8.7 > DBI 1.52 > DBD::SQLite 1.13
Subject: [rt.cpan.org #23242] Patch in Debian BTS
Date: Fri, 4 May 2007 13:42:34 +0200
To: bug-DBD-SQLite [...] rt.cpan.org
From: gregor herrmann <gregor+debian [...] comodo.priv.at>
This bug was also found by a Debian user who also provides a patch. For details please take a look at http://bugs.debian.org/422209 Cheers, gregor (Debian Perl Group) -- .''`. http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4 : :' : debian: the universal operating system - http://www.debian.org/ `. `' member of https://www.vibe.at/ | how to reply: http://got.to/quote/ `- NP: The Doors: Riders On The Storm
Download signature.asc
application/pgp-signature 189b

Message body not shown because it is not plain text.

Fixed in svn.