Tainted placeholder value

Transcribed verbatim from CPAN RT#127542, warts and all.

Thu Nov 01 13:08:24 2018 mp2 [...] netcasters.com - Ticket created Subject: Tainted placeholder value

Date: Thu, 1 Nov 2018 12:59:33 -0400 To: bug-DBI@rt.cpan.org From: Ted mp2@netcasters.com

Hi,

When the id in the query below is tainted, the avg_score is 0, yet the count is 2.

I always thought placeholders didn't care about tainted values?
If they do, then shouldn't the whole query blow up?

If the selectrow_array is substituted for prepare/execute/fetchrow_array then there is no problem.

------------------------------------------------------------------------

#!/usr/bin/perl -t
use strict;
use warnings;
use DBI;
use Scalar::Util qw(tainted);

sub taint_string {
    my $value = shift;
    open my $fh, '<', \$value or die "Can't open: $!";
    local $/;    # Slurp
    return <$fh>;
}

my $dbh = DBI->connect("dbi:mysql:database=xyz",'ux','px');

my $id = 1;
$id = taint_string($id);

my $sql = "SELECT AVG(Score), COUNT(*) FROM zzz_scores where Id >= ?";

my($avg_score, $count) = $dbh->selectrow_array($sql, undef, $id);

if (defined $dbh->err()) { die $dbh->errstr(); }

print "($avg_score, $count)\n";

$dbh->disconnect();

-------------------------------------------------------------------------

CREATE TABLE zzz_scores (
  `Id` smallint(5) unsigned NOT NULL DEFAULT '0',
  `Score` float DEFAULT NULL,
  PRIMARY KEY (Id)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

insert into zzz_scores values(1, 90);
insert into zzz_scores values(5, 100);

-------------------------------------------------------------------------

Perl 5.28 DBI 1.642 MySQL 8.0.12

perl5-dbi / dbi

Tainted placeholder value #160