Next stable DBD::SQLite will be released at the end of December

DBD::SQLite 1.61_04 (with SQLite 3.26.0) is a release candidate of the next stable DBD::SQLite. This release has a security fix for FTS users who allow arbitrary SQL statements from users for some reasons (usually because of a SQL injection vulnerability). I'll only wait for a week this time to gather CPAN testers' reports. So please test this with your applications, especially if you use FTS feature.

This release also introduces "sqlite_defensive" option, to disallow dangerous SQLite features such as updating "sqlite_master" table.

  my $dbh = DBI->connect('dbi:SQLite::memory:', undef, undef, {
    RaiseError => 1,
    PrintError => 0,
    sqlite_defensive => 1,

If you need finer control, you can use "sqlite_db_config" method as well.

  use DBD::SQLite::Constants qw/:database_connection_configuration_options/;

$dbh->sqlite_db_config( SQLITE_DBCONFIG_DEFENSIVE, 1 );

This release also provides an experimental feature to "fix" TYPE statement handle attribute ("sqlite_prefer_numeric_type" option). However, using this option may break your O/R mappers that have worked around this long-standing issue. Note also that SQLite uses dynamic type system (that means, the datatype of a value is associated with the value itself, not with its container column).

See changes for other minor fixes.

Leave a comment

About Kenichi Ishigaki

user-pic a Japanese perl programmer/translator, aka charsbar