Sorry for the delay haukex
It's taken a little while but I have replicated the problem. First I converted it to run in a CGI context on a webserver. I could not replicate it and was beginning to think I never had the problem...but by changing the idPerson column to an INT I can break it by turning on taint mode:
#!/usr/bin/perl -T
use CGI::Carp qw(fatalsToBrowser);
use warnings;
use strict;
use feature 'say';
use Scalar::Util qw/tainted/;
use DBI;
use DBI::Const::GetInfoType;
my @argv;
if ($ENV{'GATEWAY_INTERFACE'}) {
@argv = split /&/, $ENV{'QUERY_STRING'};
} else {
@argv = @ARGV;
}
my $db_user = 'xxx';
my $db_pass = 'xxx';
my $dbh = DBI->connect(
"DBI:mysql:database=shoples1_testing;host=127.0.0.1", $db_user,
$db_pass, { RaiseError=>1, AutoCommit=>1, TaintIn=>0 });
print "Content-type: text/plain\n\n";
say "Perl: $]";
say "Database: ",
$dbh->get_info( $GetInfoType{SQL_DBMS_NAME} ), " ",
$dbh->get_info( $GetInfoType{SQL_DBMS_VER} );
say "Driver: ", $dbh->{Driver}->{Name};
say "DBI Ver: ", $DBI::VERSION;
say "DBD::mysql Ver: ", $DBD::mysql::VERSION;
$dbh->do('DROP TABLE IF EXISTS Person');
$dbh->do(<<'ENDSQL');
CREATE TABLE Person (
idPerson INT,
email VARCHAR(256),
altEmail VARCHAR(256)
);
ENDSQL
$dbh->do('INSERT INTO Person (idPerson, email, altEmail) VALUES (5, ?,
+ "foo@bar.com");', undef, $argv[1]);
die "run me with an empty string as the first argument"
unless @argv && !length $argv[0];
my %data = ( email => $argv[1] );
say "Email is tainted" if tainted($data{'email'});
say "EMAIL: $argv[1]";
my $query = $dbh->prepare("SELECT idPerson FROM Person WHERE email = ?
+ OR altEmail = ?");
$query->execute($data{'email'}, $data{'email'});
my ($crid) = $query->fetchrow_array;
say "CRID: $crid";
my ($test) = $dbh->selectrow_array("SELECT idPerson FROM Person WHERE
+email = ? OR altEmail = ?", undef, $data{'email'}, $data{'email'});
say "TEST: $test";
__END__
Without taint mode I get this:
Perl: 5.016003
Database: MySQL 10.2.39-MariaDB
Driver: mysql
DBI Ver: 1.643
DBD::mysql Ver: 4.050
EMAIL: foo@bar.com
CRID: 5
TEST: 5
By doing nothing other than adding the -T switch to the shebang and I get this:
Perl: 5.016003
Database: MySQL 10.2.39-MariaDB
Driver: mysql
DBI Ver: 1.643
DBD::mysql Ver: 4.050
Email is tainted
EMAIL: foo@bar.com
CRID: 5
TEST: 0
The script has been adapted to run from the command line or under CGI. The output is the same in both cases so it is not an environment issue. |