Subject: | bind_param SQL_INTEGER numifies value |
When passing a non-numeric value to a numeric bind, the value will be
numified and used without an error.
This leads to unexpected sucess and data in the database.
The following litte script shows the bug:
#!/usr/bin/env perl
use strict;
use warnings;
use DBI qw(:sql_types); # Don't forget this
my $dbh = DBI->connect("dbi:SQLite:dbname=test.db","","");
$dbh->do("CREATE TABLE producer (
producerid INTEGER PRIMARY KEY NOT NULL,
name varchar(100) NOT NULL
);");
my $sth = $dbh->prepare("INSERT INTO producer ( producerid, name )
VALUES( ?, ? )");
$sth->bind_param(1, 'foo', SQL_INTEGER);
$sth->bind_param(2, 'bar', SQL_VARCHAR);
$sth->execute();
Only this warning is thrown:
Argument "foo" isn't numeric in subroutine entry at
./dbd-sqlite-bind-bug.pl line 14.