On Monday 21 April 2008, Dan Pascu wrote: > > Right, this is one more reason for having in the DB API a clear > > distinction between the string-like and blob-like types. > > SQL injection can happen with any of blob, text, char, varchar if not > escaped. There is no distinction between the 2 regarding this issue.
Hi Dan, at least db_mysql and db_postgres uses escaping functions for DB_STRING, DB_STR and DB_BLOB. Iouri, how is this handled in the db_oracle module? For db_unixodbc there is a common escaping function used, but its for default not activated. Perhaps this should be changed? Cheers, Henning _______________________________________________ Devel mailing list [email protected] http://lists.openser.org/cgi-bin/mailman/listinfo/devel
