Re^2: Counting rows Sqlite

I would prefer that DBI issued a warning or even refuse to work with inline values, but that would add a lot of overhead, as DBI would need to actually parse the SQL statement.

Worse than that, it would simply be impossible to do.

On receiving the query "SELECT * FROM foo WHERE bar = 'baz'", how would DBI know whether it had been called as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = 'baz'"); (which is fine - the baz is a hard-coded literal) or as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = '$myvar'"); (which is potentially dangerous)? Even if it could make that determination, in the latter case, how would it know whether $myvar's value came from user input (unsafe) or the statement my $myvar = 'baz'; (another hard-coded literal, so safe)?

We've already got taint mode and you can set DBI to reject tainted values (DBI->connect(..., { TaintIn => 1 })), but that's about as close as you're likely to be able to get.

Comment on Re^2: Counting rows Sqlite Select or Download Code

Replies are listed 'Best First'.
Re^3: Counting rows Sqlite by Corion (Patriarch) on May 10, 2010 at 10:32 UTC
Note that the SQL statement would be tainted as soon as you interpolate tainted variables into it.	[reply]
Re^4: Counting rows Sqlite by dsheroh (Monsignor) on May 11, 2010 at 07:15 UTC
Yes, I should have explicitly noted that. Thanks for adding it!	[reply]
Re^3: Counting rows Sqlite by afoken (Chancellor) on May 11, 2010 at 05:54 UTC
Tainting would also have been my answer to the problem of mixing untrusted user input with SQL fragments. For constants (your "hard-coded literals"), I really don't care. I've used DBI nearly daily in the last few years, and I rarely needed constants. And for the few cases where I really had constants, I replaced them with placeholders and a constant bind value just because I have the habit to pass all values using placeholders. So having DBI `warn` or `die` when it finds a string or number literal in an SQL statement would not hurt much, it would just force you to pass even constants via placeholders. Of course, this "paranoia mode" would break some existing code, and it needs to be disabled by default for a long time. Any by the way: Because no user code needs the `$dbh->quote()` method in "paranoia mode", DBI should `warn` or `die` when non-DBD code calls this method. I see a different problem that really blocks the implementation of this "paranoia mode": The different SQL dialects. For example, it is possible and sometimes needed to create PL/SQL code via DBI/DBD::Oracle, and that code may legally contain any hard-coded literal. So the actual parsing has to be done in the DBD code, at least for those special cases. DBI code may provide a default parser, for DBDs that don't have those special cases. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]
Re^4: Counting rows Sqlite by dsheroh (Monsignor) on May 11, 2010 at 07:22 UTC
Any by the way: Because no user code needs the $dbh->quote() method in "paranoia mode", DBI should warn or die when non-DBD code calls this method. Agreed, and I'd even take the extra step of saying that `->quote()` in user code should be seriously considered for deprecation, "paranoia mode" or no. There may be some valid case where it's needed that I haven't encountered, but it mostly just seems to be used by people coming from PHP and looking for an equivalent to `mysql_real_and_for_true_escape_string_i_really_mean_it()` because they can't be bothered to learn how to use placeholders (or, in the case of one individual I've argued the point with a few times, are convinced that placeholders are The Death Of Performance).	[reply] [d/l] [select]
Re^5: Counting rows Sqlite by wrog (Friar) on Jan 06, 2012 at 00:12 UTC
the problem with getting rid of $dbh->quote is that then people will just start inserting values directly	[reply]