Stipe, list, IMHO consuming DBPoolConns is not a bad thing. After all, that is why the pool even exist. So consuming and producing sql connections is not so expensive.
In your patch: Where exactly do you escpape the parameters to the sql string? I couldnt find that so quick. In most of the Chimit code, we use something like this: Octstr *sql = octstr_sql_format("SELECT * from table where pk = '%s'", PrimaryKey); The function octstr_sql_format is crafted so that before replacing the value of PrimaryKey on the place that says %s in the format string, automatically it is sql-escaped. This way, you never have to worry about escaping stuff - everything goes automagically. This a clean and generic solution that generates little coding effort. Rene Kluwen Chimit -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stipe Tolj Sent: maandag 26 september 2005 19:10 To: Kannel Development list Subject: [PATCH] mysql_real_escape_string() usage in gw/dlr_mysql.c Hi list, according to bug #258 we don't use the string character escaping functions from mysql client library to ensure the safety of the SQL statements. Attached is a patch for gw/dlr_mysql.c:dlr_mysql_add() which uses a static mysql_escaipe() that does this. Please review and vote for commitment. This should be also extended to the other SQL statements, right? Actually this is a bit "glitchy", since we have to consume the DBPoolConn* _before_ passing the strings to the mysql_real_escape_string() routine. It expects a mysql connection in order to ensure that it gets the right character set encoding. Anyone having a better "way" in doing this? I don't feel it's the "smoothes" code for it, but it safes at least a sub-sequential consumption of DBPoolConn's while doing the string escaping. Any improvments welcome. Stipe mailto:stolj_{at}_wapme-group.de ------------------------------------------------------------------- Wapme Systems AG Vogelsanger Weg 80 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:info_{at}_wapme-systems.de http://www.wapme-systems.de/ -------------------------------------------------------------------