Gabor Szabo wrote:
On 6/27/07, Alexander Foken <[EMAIL PROTECTED]> wrote:
> I found this patch by Alexander Foken
(that's me)
and thanks for making it available
Do you know what SQL injection means? If yes, why do you still use this
code style? If no, please learn what it means, a good starting point is
http://en.wikipedia.org/wiki/SQL_injection
Sure I know. We are talking about some internal application at a client
that it seems has no outside interface so the risks are much smaller.
In addition this is legacy code they would like to keep working.
It can't work, because the ODBC API only accepts non-Unicode SQL
statements, or at least I did not find a way to make ODBC work with SQL
strings encoded in UTF-8
they have a patch that fixes the problem for inline SQL statement but
does not
work when using placeholders. I was asked to integrate this and publish it
but as I found your patch and as I guess it was already tried by much more
users than what we have it might make more sense to take your patch
and add the capability to handle sql statements without placeholders.
So I would like to see someone more knowledgeable than me starting to take
care of DBD::ODBC and starting to collect the available patches.
Once I see that the patches already available are integrated and
released as some development version I hope I can find a way to send a
patch including the extra fix for the maintainers consideration.
In any case uploading new development versions of the module including the
various patches will make it more accessible for anyone to test.
regards and thanks again for your work
Gabor
I now have write access to the svn.perl.org subversion repository for
DBD::ODBC. I will be adding the patches I posted over the last year or
so later today (I've listed them below). Once these are in feel free to
post any further patches to me (preferably against the trunk tree in
subversion as of later today) and I will do my best to include them.
When I work out how to produce a test release and depending on whether
I'm inundated with changes I will do a test release next week and we can
move forwards from there.
On the point of the Alexander's unicode patch I seem to remember
applying it over a year a go to my copy of DBD::ODBC but it broke
building of DBD::ODBC on UNIX - perhaps my recollection is wrong.
Fixes:
Fix bug in dbd_bind_ph which leads to the error
Can't change param 1 maxlen (51->50) after first bind
in the 20SqlServer test. This is caused by svGROW in Perl 5.8.8 being
changed to possibly grow by more than you asked (e.g. up to the next
longword boundary).
Fix problem with binding undef as an output parameter. Reported by
Stephen More with IBM's ODBC driver for iSeries.
Removed comment delimiters in comments in dbdimp.h leading to warnings.
Removed some unused variable declarations leading to warnings.
Fixed use of unitialised variable in dbd_bind_ph where an undef is bound
and tracing is enabled.
Fix to current test suite which fails some tests when connected to MS
SQL Server 2005 or Express.
Fix problem getting ParamValues after an execute has
failed e.g. in an error handler
and changes:
Removed PerlIO_flush calls as it is believed they are not required.
Add logging for whether SQLDescribeParam is supported.
Martin
--
Martin J. Evans
Easysoft Limited
http://www.easysoft.com
