Security Advisories (1)

CVE-2026-13766 (2026-06-30)

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

NAME

DBIx::QuickORM::RowManager::Cached - Row manager with a per-source identity cache.

DESCRIPTION

A DBIx::QuickORM::RowManager that keeps at most one row object per primary key per source. Rows are stored under a per-source bucket keyed by their primary key and held weakly, so cached rows can be reused while still being garbage collected once no longer referenced.

SYNOPSIS

my $mgr = DBIx::QuickORM::RowManager::Cached->new(connection => $connection);

PUBLIC METHODS

$row = $mgr->do_cache_lookup($source, $fetched, $old_pk, $new_pk, $row): Return the cached row for the source and primary key, or undef.
$row = $mgr->cache($source, $row, $old_pk, $new_pk): Store the row in its source bucket under its new primary key (held weakly), removing any entry under the old primary key. Returns the row, or nothing for sources without a primary key. A row whose primary key has an undef component cannot be keyed and is returned uncached.
$row = $mgr->uncache($source, $row, $old_pk, $new_pk): Remove and return the cached row for the given source and primary key. The primary key is taken from the supplied keys, or from the row itself when none are given.
$key = $mgr->cache_key($pk): Build a single cache-key string from an arrayref of primary-key values, joining them on a separator; backslashes and separator characters inside a value are escaped. Returns undef when any component is undef, since such a key cannot be distinguished from an empty string.

PRIVATE METHODS

$mgr->_purge_dead($scache): Delete entries from a source bucket whose weakly-held row has been garbage collected.

SOURCE

The source code repository for DBIx::QuickORM can be found at https://github.com/exodist/DBIx-QuickORM.

MAINTAINERS

Chad Granum <exodist@cpan.org>

AUTHORS

Chad Granum <exodist@cpan.org>

COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See https://dev.perl.org/licenses/

To install DBIx::QuickORM, copy and paste the appropriate command in to your terminal.

cpanm

cpanm DBIx::QuickORM

CPAN shell

perl -MCPAN -e shell
install DBIx::QuickORM

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)