On 6/27/07, Alexander Foken <[EMAIL PROTECTED]> wrote:
> I found this patch by Alexander Foken (that's me)
and thanks for making it available
Do you know what SQL injection means? If yes, why do you still use this code style? If no, please learn what it means, a good starting point is http://en.wikipedia.org/wiki/SQL_injection
Sure I know. We are talking about some internal application at a client that it seems has no outside interface so the risks are much smaller. In addition this is legacy code they would like to keep working.
It can't work, because the ODBC API only accepts non-Unicode SQL statements, or at least I did not find a way to make ODBC work with SQL strings encoded in UTF-8
they have a patch that fixes the problem for inline SQL statement but does not work when using placeholders. I was asked to integrate this and publish it but as I found your patch and as I guess it was already tried by much more users than what we have it might make more sense to take your patch and add the capability to handle sql statements without placeholders. So I would like to see someone more knowledgeable than me starting to take care of DBD::ODBC and starting to collect the available patches. Once I see that the patches already available are integrated and released as some development version I hope I can find a way to send a patch including the extra fix for the maintainers consideration. In any case uploading new development versions of the module including the various patches will make it more accessible for anyone to test. regards and thanks again for your work Gabor -- Gabor Szabo http://www.szabgab.com/ Perl Training in Israel http://www.pti.co.il/