From: "Thomas Løcke" <tl@ada-dk.org>
Subject: Re: Possible "bug" found in gnatcoll-sql_impl.adb
Date: Fri, 25 Feb 2011 15:53:48 +0100
Date: 2011-02-25T15:53:48+01:00 [thread overview]
Message-ID: <4d67c27c$0$23756$14726298@news.sunsite.dk> (raw)
In-Reply-To: <c09011b3-204f-441f-b575-f5403f0fd6a4@v31g2000vbs.googlegroups.com>
On 2011-02-25 15:44, Ludovic Brenta wrote:
> It seems GNATColl has a bug whereby it incorrectly converts the value
> of bound parameters to SQL, when it should not.
Exactly.
You're much better at expressing this the I am. :o)
> Use prepared statements and bound parameters. Always. This avoids
> nasty issues such as quoting, protection against SQL injection
> attacks, etc.
That is my intention.
My current setup is PHP/PDO based, and uses prepared and parameterized
queries exclusively. None of my string data have those extra single
quotes, so I'd rather like to have that issue fixed in GNATColl before
I start using it in my environment.
--
Thomas L�cke
Email: tl at ada-dk.org
Web: http//:ada-dk.org
http://identi.ca/thomaslocke
next prev parent reply other threads:[~2011-02-25 14:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-23 11:58 GNATcoll and parameterized queries have me confused Thomas Løcke
2011-02-23 12:32 ` Thomas Løcke
2011-02-25 14:11 ` Possible "bug" found in gnatcoll-sql_impl.adb Thomas Løcke
2011-02-25 14:44 ` Ludovic Brenta
2011-02-25 14:53 ` Thomas Løcke [this message]
2011-02-28 11:17 ` Ludovic Brenta
2011-02-28 14:04 ` Emmanuel Briot
2011-03-01 8:03 ` Thomas Løcke
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox