From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Thread: 103376,65f26d981c0edb76
X-Google-NewGroupId: yes
X-Google-Attributes: gida07f3367d7,domainid0,public,usenet
X-Google-Language: ENGLISH,ASCII
Path: 
 g2news2.google.com!news3.google.com!proxad.net!feeder1-2.proxad.net!news.tele.dk!news.tele.dk!small.news.tele.dk!feed118.news.tele.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail
Date: Fri, 25 Feb 2011 15:53:48 +0100
From: =?ISO-8859-1?Q?Thomas_L=F8cke?= <tl@ada-dk.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
 rv:1.9.2.13) Gecko/20101210 Thunderbird/3.1.7
MIME-Version: 1.0
Newsgroups: comp.lang.ada
Subject: Re: Possible "bug" found in gnatcoll-sql_impl.adb
References: <4d64f653$0$23761$14726298@news.sunsite.dk>
 <4d67b8af$0$23765$14726298@news.sunsite.dk>
 <c09011b3-204f-441f-b575-f5403f0fd6a4@v31g2000vbs.googlegroups.com>
In-Reply-To: 
 <c09011b3-204f-441f-b575-f5403f0fd6a4@v31g2000vbs.googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Message-ID: <4d67c27c$0$23756$14726298@news.sunsite.dk>
Organization: SunSITE.dk - Supporting Open source
NNTP-Posting-Host: 83.91.213.86
X-Trace: news.sunsite.dk
 DXC=3=27k=5O1N7N=S_a\VX>h;YSB=nbEKnk;3LlDMZ4XbV91GQX8;5?Cn7RED9SjB8:69Qo^8G8>And=cgYXcnADn[0]01T`Rm1cH8
X-Complaints-To: staff@sunsite.dk
Xref: g2news2.google.com comp.lang.ada:18566
Date: 2011-02-25T15:53:48+01:00
List-Id: <comp.lang.ada>

On 2011-02-25 15:44, Ludovic Brenta wrote:
> It seems GNATColl has a bug whereby it incorrectly converts the value
> of bound parameters to SQL, when it should not.


Exactly.

You're much better at expressing this the I am.  :o)


> Use prepared statements and bound parameters.  Always.  This avoids
> nasty issues such as quoting, protection against SQL injection
> attacks, etc.


That is my intention.

My current setup is PHP/PDO based, and uses prepared and parameterized
queries exclusively. None of my string data have those extra single
quotes, so I'd rather like to have that issue fixed in GNATColl before
I start using it in my environment.

-- 
Thomas L�cke

Email: tl at ada-dk.org
Web: http//:ada-dk.org
http://identi.ca/thomaslocke