Il 21/05/2013 10:07, Holger Hans Peter Freyther ha scritto: > On Tue, May 21, 2013 at 09:45:04AM +0200, Paolo Bonzini wrote: > >> Hmm, that would be a bug. > > DBI.MySQL.MySQLConnection fieldConverterClass uniqueInstance > print: ''';DROP TABLE;"DROP TABLE' on: stdout > > This is the 'dual-use' of the FieldConverter. It is good for > SQLite/PostgreSQL queries but it is not really up to the task > for MySQL. The question is what do we do with MySQL in terms > of 'prepared' statements? The only thing I can think of is > a better >>% that is also doing SQL escaping (like the escaping > from ROE).
MySQL should take the output from FieldConverter and escape it. Paolo _______________________________________________ help-smalltalk mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-smalltalk
