Gabor Szabo wrote:
Hi,
I have bumped into sever issue with DBD::ODBC, the most important one
is the
Unicode problem.
I found this patch by Alexander Foken
(that's me)
http://www.alexander-foken.de/downloads.html
that is good so far except that it only works using binded values.
And for good reasons.
This example I added to the 41Unicode.t is broken.
$dbh->do("INSERT INTO PERL_DBD_TABLE1 (i,nva,nvb,nvc) values (100,
'$data[0]', '$data[1]', '$data[2]')");
Do you know what SQL injection means? If yes, why do you still use this
code style? If no, please learn what it means, a good starting point is
http://en.wikipedia.org/wiki/SQL_injection
(ok I know we should only use binded values but there are tons of code
working without so it would be nice if that worked as well.
Why should I (or someone else) build (probably huge) workarounds only to
*OPEN* security holes?
OK, that's enough ranting for today, back to the facts:
It can't work, because the ODBC API only accepts non-Unicode SQL
statements, or at least I did not find a way to make ODBC work with SQL
strings encoded in UTF-8 or UTF-16 from a non-Unicode application like
perl.exe (and I think there is no way for a Unicode application to use a
non-Unicode SQL string except by converting it to Unicode). The
parameters are a completely different thing, they are passed to the ODBC
database driver without modification, and (at least for the SQL Server
and Oracle driver) from there to the database server, again without
modification, no matter if the application is Unincode or Non-Unicode
(like perl.exe). The same applies to fetched column values.
Will someone who understnads this better than I do
release a version to CPAN? Even if that is only an unofficial
development release
(e.g. 1.14_01 )
I still hope for someone to do this. I do not have enough insight into
ODBC on Win32 and the inner workings of DBI drivers to declare my patch
as good enough for a release. For that, I would need to be sure that the
code is right and works with all of DBI, not just know that it works
with *one* application that uses only a small part of DBI.
The patched code should at least disable the Win32-specific hack on
non-Win32 platforms, preferably, it would also work on non-Win32
platforms. This is clearly something that was neither tested nor a
target for the patch.
Has Jeff Urlwin disappeared from the Perl world?
That's a *very* good question. Perhaps Tim Bunce knows more? If Jeff has
gone, someone should take over DBD::ODBC development, and if not for
Unicode support, then at least for the new DBI features added during the
past three years.
Alexander
--
Alexander Foken
mailto:[EMAIL PROTECTED] http://www.foken.de/alexander/