Bug#584428: libdbd-mysql-perl: Placeholder and comments causes a hang and high cpu usage.

Dean Hamstead dean at fragfest.com.au
Thu Jun 3 14:12:37 UTC 2010 

sorry that triple - should be just a double --

also this would cause the same problem

"select * from coly where some_key = ? limit 1 --"


it would seem that in general, comments and place holders arent happy
together. however they used to be.

i was under the impression that its always a good idea to put a comment
marker at the end of an sql line, to help prevent buffer overflow sql
injections. so this is hurting me as i have -- after all my sql :(



On 6/3/2010, "Dean Hamstead" <dean at fragfest.com.au> wrote:

>Package: libdbd-mysql-perl
>Version: 4.014-1
>Severity: important
>
>
>Hello
>
>i have found that the following will cause a script to hang and take 100% cpu usage...
>
>#!/usr/bin/perl
>
>use strict;
>use warnings;
>
>use DBI;
>
>  my $dbh = DBI->connect('DBI:mysql:xxx:localhost','xxx','xxx') or die "cant connect to database: $DBI::errstr";
>
>## this works
>   my $sth = $dbh->prepare('select * from col --') or die "Couldn't prepare statement: " . $dbh->errstr;
>
>#   etc...
>
>## this works
>   $sth = $dbh->prepare('select * from coly where some_key = ? ') or die "Couldn't prepare statement: " . $dbh->errstr;
>   $sth->execute(q|keyvalue|);
>
>## this hangs and goes to 100% cpu usage, strace shows nothing of value
>   $sth = $dbh->prepare('select * from coly where some_key = ? ---') or die "Couldn't prepare statement: " . $dbh->errstr;
>   $sth->execute(q|keyvalue|);
>
>
>___END___
>
>
>I dont have another database to try this on, but there is already a bug like this
>
>
>
>
>-- System Information:
>Debian Release: squeeze/sid
>  APT prefers testing
>  APT policy: (500, 'testing')
>Architecture: amd64 (x86_64)
>
>Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
>Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
>Shell: /bin/sh linked to /bin/dash
>
>Versions of packages libdbd-mysql-perl depends on:
>ii  libc6                2.10.2-9            Embedded GNU C Library: Shared lib
>ii  libdbi-perl [perl-db 1.610.90+is+1.609-1 Perl Database Interface (DBI)
>ii  libmysqlclient16     5.1.46-1            MySQL database client library
>ii  perl                 5.10.1-12           Larry Wall's Practical Extraction
>ii  perl-base [perlapi-5 5.10.1-12           minimal Perl system
>
>libdbd-mysql-perl recommends no packages.
>
>libdbd-mysql-perl suggests no packages.
>
>-- no debconf information
>
>

More information about the pkg-perl-maintainers mailing list