Gabor Szabo wrote:
Hi,

I have bumped into sever issue with DBD::ODBC, the most important one is the
Unicode problem.

I found this patch by Alexander Foken
(that's me)
http://www.alexander-foken.de/downloads.html
that is good so far except that it only works using binded values.
And for good reasons.
This example I added to the 41Unicode.t is broken.

  $dbh->do("INSERT INTO PERL_DBD_TABLE1 (i,nva,nvb,nvc) values (100,
'$data[0]', '$data[1]', '$data[2]')");
Do you know what SQL injection means? If yes, why do you still use this code style? If no, please learn what it means, a good starting point is http://en.wikipedia.org/wiki/SQL_injection

(ok I know we should only use binded values but there are tons of code
working without so it would be nice if that worked as well.
Why should I (or someone else) build (probably huge) workarounds only to *OPEN* security holes?

OK, that's enough ranting for today, back to the facts:

It can't work, because the ODBC API only accepts non-Unicode SQL statements, or at least I did not find a way to make ODBC work with SQL strings encoded in UTF-8 or UTF-16 from a non-Unicode application like perl.exe (and I think there is no way for a Unicode application to use a non-Unicode SQL string except by converting it to Unicode). The parameters are a completely different thing, they are passed to the ODBC database driver without modification, and (at least for the SQL Server and Oracle driver) from there to the database server, again without modification, no matter if the application is Unincode or Non-Unicode (like perl.exe). The same applies to fetched column values.
Will someone who understnads this better than I do
release a version to CPAN? Even if that is only an unofficial
development release
(e.g. 1.14_01 )
I still hope for someone to do this. I do not have enough insight into ODBC on Win32 and the inner workings of DBI drivers to declare my patch as good enough for a release. For that, I would need to be sure that the code is right and works with all of DBI, not just know that it works with *one* application that uses only a small part of DBI. The patched code should at least disable the Win32-specific hack on non-Win32 platforms, preferably, it would also work on non-Win32 platforms. This is clearly something that was neither tested nor a target for the patch.

Has Jeff Urlwin disappeared from the Perl world?
That's a *very* good question. Perhaps Tim Bunce knows more? If Jeff has gone, someone should take over DBD::ODBC development, and if not for Unicode support, then at least for the new DBI features added during the past three years.

Alexander

--
Alexander Foken
mailto:[EMAIL PROTECTED]  http://www.foken.de/alexander/

Reply via email to