Security Advisories (1)

CVE-2026-13766 (2026-06-30)

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

NAME

DBIx::QuickORM::Util::Mask - Lazily-built wrapper that hides a heavy object from dumps and stack traces while delegating to it.

DESCRIPTION

Wraps an object so it does not bloat Data::Dumper output or Carp stack traces (a single masked DateTime, for example, would otherwise dump hundreds of lines), while still behaving like the object for method calls.

The wrapped object is built lazily: the generator is not run until the value is actually used (a method call, numification, etc.). Stringification is the exception - it returns a fixed display string and never triggers the generator, so printing a value is always cheap.

The real object lives inside the generator closure, never in a visible slot, so it stays hidden from dumps even after it has been built.

SYNOPSIS

use DBIx::QuickORM::Util::Mask;

my $mask = DBIx::QuickORM::Util::Mask->new(
    string    => "2026-05-24 12:00:00",   # what it stringifies to
    generator => sub { expensive_parse(...) },
    mask_class => 'My::Subclass',          # optional, defaults to this class
);

print "$mask";        # the display string, nothing is built
$mask->some_method;   # builds the object (once) and delegates

SOURCE

The source code repository for DBIx::QuickORM can be found at https://github.com/exodist/DBIx-QuickORM.

MAINTAINERS

Chad Granum <exodist@cpan.org>

AUTHORS

Chad Granum <exodist@cpan.org>

COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See https://dev.perl.org/licenses/

To install DBIx::QuickORM, copy and paste the appropriate command in to your terminal.

cpanm

cpanm DBIx::QuickORM

CPAN shell

perl -MCPAN -e shell
install DBIx::QuickORM

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)