Sorry for the delay haukex

It's taken a little while but I have replicated the problem. First I converted it to run in a CGI context on a webserver. I could not replicate it and was beginning to think I never had the problem...but by changing the idPerson column to an INT I can break it by turning on taint mode:

#!/usr/bin/perl -T

use CGI::Carp qw(fatalsToBrowser);

use warnings;
use strict;
use feature 'say';
use Scalar::Util qw/tainted/;
use DBI;
use DBI::Const::GetInfoType;

my @argv;
if ($ENV{'GATEWAY_INTERFACE'}) {
    @argv = split /&/, $ENV{'QUERY_STRING'};
} else {
    @argv = @ARGV;
}

my $db_user = 'xxx';
my $db_pass = 'xxx';
my $dbh = DBI->connect(
    "DBI:mysql:database=shoples1_testing;host=127.0.0.1", $db_user,
    $db_pass, { RaiseError=>1, AutoCommit=>1, TaintIn=>0 });

print "Content-type: text/plain\n\n";

say "Perl: $]";
say "Database: ",
    $dbh->get_info( $GetInfoType{SQL_DBMS_NAME} ), " ",
    $dbh->get_info( $GetInfoType{SQL_DBMS_VER} );
say "Driver: ", $dbh->{Driver}->{Name};
say "DBI Ver: ", $DBI::VERSION;
say "DBD::mysql Ver: ", $DBD::mysql::VERSION;

$dbh->do('DROP TABLE IF EXISTS Person');
$dbh->do(<<'ENDSQL');
CREATE TABLE Person (
    idPerson INT,
    email VARCHAR(256),
    altEmail VARCHAR(256)
);
ENDSQL
$dbh->do('INSERT INTO Person (idPerson, email, altEmail) VALUES (5, ?,
+ "foo@bar.com");', undef, $argv[1]);

die "run me with an empty string as the first argument"
    unless @argv && !length $argv[0];
my %data = ( email => $argv[1] );
say "Email is tainted" if tainted($data{'email'});

say "EMAIL: $argv[1]";

my $query = $dbh->prepare("SELECT idPerson FROM Person WHERE email = ?
+ OR altEmail = ?");
$query->execute($data{'email'}, $data{'email'});
my ($crid) = $query->fetchrow_array;
say "CRID:  $crid";

my ($test) = $dbh->selectrow_array("SELECT idPerson FROM Person WHERE 
+email = ? OR altEmail = ?", undef, $data{'email'}, $data{'email'});
say "TEST:  $test";

__END__

[download]

Without taint mode I get this: 

Perl: 5.016003
Database: MySQL 10.2.39-MariaDB
Driver: mysql
DBI Ver: 1.643
DBD::mysql Ver: 4.050
EMAIL: foo@bar.com
CRID:  5
TEST:  5

[download]
By doing nothing other than adding the -T switch to the shebang and I get this: 
Perl: 5.016003
Database: MySQL 10.2.39-MariaDB
Driver: mysql
DBI Ver: 1.643
DBD::mysql Ver: 4.050
Email is tainted
EMAIL: foo@bar.com
CRID:  5
TEST:  0

[download]

The script has been adapted to run from the command line or under CGI. The output is the same in both cases so it is not an environment issue.

In reply to Re^10: Recalcitrant placeholders by Bod
in thread Recalcitrant placeholders by Bod

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.