Subject: | "Unknown named parameter" when binding tainted parameter |
Date: | Tue, 14 Nov 2006 08:54:33 -0500 |
To: | bug-DBD-SQLite [...] rt.cpan.org |
From: | Charlie Katz <ckatz [...] cfa.harvard.edu> |
With perl in taint mode, executing a SQL statement with a tainted parameter
argument causes "Unknown named parameter". This situation occurs when
accessing SQLite via Class::DBI under mod_perl, for example.
I don't understand enough about the internals to know for sure that this is a
DBD::SQLite bug, but the problem does not occur with DBD::SQLite2, with all
other code identical.
Thanks for your attention.
----------------------------------------------------------------------------------------------------------------------------------
#!/usr/bin/perl -wT
# % sqlite3 test_case.sqlite3
# sqlite> CREATE TABLE example ( id INTEGER );
# sqlite> INSERT INTO example VALUES(1);
# sqlite> ^D
use DBI;
use Taint 'taint';
my $dbh = DBI->connect('dbi:SQLite:test_case.sqlite3');
#
# with DBI->connect('dbi:SQLite2:test_case.sqlite2');
# and a SQLite2 database, no error
my $sth = $dbh->prepare("SELECT * FROM example WHERE id=?");
my $val = 1;
taint $val;
$sth->execute($val);
---------------------------------------------------------------------------------------------------------------------------------
Linux 2.6.15-23-686
perl 5.8.7
DBI 1.52
DBD::SQLite 1.13