About a year ago, Christian Jaeger was having a problem with DBD::mysql not correctly quoting values passed to execute() if they had been used in numeric context:

http://www.perl.jann.com/dbi-users/200008/msg00650.html

It doesn't look like the problem was understood by any of the people who responded at the time.

I just ran into this problem with DBD::mysql 2.0416 with Perl 5.6.1; Christian's message was enough of a hint for me to work around the problem by concatenating the null string to my troublesome variable in Perl: $var .= '';

Obviously this is a workaround, not a fix.

It should be noted that this is potentially a very serious security problem.

Has this problem been fixed in more recent versions of DBD::mysql? It isn't fixed in 2.0902.

In case it isn't clear from Christian's messages what's wrong, here's an example:

kragen@cheery:~/pkgs$ perl -w -Mstrict -MDBI -e 'my $dbh =
DBI->connect("DBI:mysql:KB", "root", ""); my $sth = $dbh->prepare("select * from
tp where source=?"); my $x = "flurgle"; my $y = $x + 1; $sth->execute($x); print
$sth->errstr, "\n"; $sth->finish; $dbh->disconnect' Argument "flurgle" isn't numeric in add at -e line 1. DBD::mysql::st execute failed: Unknown column 'flurgle' in 'where clause' at -e
line 1. Unknown column 'flurgle' in 'where clause'

Since the string passed to prepare() is syntactically correct, it should not be possible for execute() to give SQL syntax errors.

It's completely beyond me how a serious security bug in free software that powers thousands, if not hundreds of thousands, of important web sites can remain unfixed a year after it was reported, with short test programs and everything. Thank God MySQL doesn't support subselects yet.