Re: [gnome-db] patch to replace gda_connection_escape_string() with gda_connection_value_to_sql_string()

From: Alan Knowles <alan akbkhome com>
To: bas driessen xobas com
Cc: Rodrigo Moya <rodrigo gnome-db org>, GNOME-DB List <gnome-db-list gnome org>
Subject: Re: [gnome-db] patch to replace gda_connection_escape_string() with gda_connection_value_to_sql_string()
Date: Tue, 19 Apr 2005 10:37:21 +0800

Bas, can you try this patch, it builds ok here, and should export the
method to the right place.

http://devel.akbkhome.com/svn/index.php/libgda/to_sql_string_fixes.diff.txt

At present the to_sql_local is susceptable to SQL injection attacks, so
it's probably better to use the string escaping in this.

Regards
Alan

On Tue, 2005-04-12 at 16:55 +0800, Alan Knowles wrote:
> In the libgda.h, I think this
> 
> gchar        *gda_mysql_value_to_sql_string (GdaValue *value);
> 
> should be replaced with
> 
> static gchar *gda_mysql_provider_value_to_sql_string (
> 			GdaServerProvider *provider,
> 			GdaConnection *cnc,
> 			GdaValue *from);
> 
> I dont have any code that uses recordset, to test it with, but if you
> can check it works, I'll add it in.
> 
> Regards
> Alan
> 
> On Mon, 2005-04-11 at 21:40 +1000, Bas Driessen wrote:
> > On Sat, 2005-03-19 at 14:10 +0800, Alan Knowles wrote: 
> > > Committed, but I buggered up the commit message. how did you get the
> > > head of Changlog to be used as the message?
> > > 
> > > Regards
> > > Alan
> > > 
> > > On Thu, 2005-03-17 at 16:23 +0100, Rodrigo Moya wrote:
> > > > On Wed, 2005-03-16 at 21:04 +0800, Alan Knowles wrote:
> > > > > I've finally found time to get back on this - 
> > > > > http://devel.akbkhome.com/svn/index.php/libgda/final.to_sql.patch.txt
> > > > > 
> > > > > Is tested against mysql, and builds against postgres. I'm not quite sure
> > > > > where the release/commit status is, as this breaks the API, for anyone
> > > > > who happened to use the old escape_string method..
> > > > > 
> > > > > let me know if it should be commited (I may have to dig up my old commit
> > > > > keys)
> > > > > 
> > > > yes, please commit, looks good indeed. Only commit to CVS HEAD, there we
> > > > can break the API.
> > 
> > Alan,
> > 
> > There is a problem with this patch in
> > "providers/mysql/gda-mysql-recordset.c" There you call
> > "gda_mysql_provider_value_to_sql_string" in functions
> > "gda_mysql_recordset_append_row" and "gda_mysql_recordset_remove_row".
> > My applications (using MySQL, PostgreSQL is still OK) that call those
> > functions abort now with :
> > 
> > symbol lookup
> > error: /opt/builds/gnome-db/cvs/live/head/libgda/lib/libgda-1.3/providers/libgda-mysql.so: undefined symbol: gda_mysql_provider_value_to_sql_string
> > 
> > So I made a small (ugly) hack so that it works again. From those 2
> > functions I call the old (restored) functions again. I have no time at
> > the moment to properly investigate. Perhaps you can review your work
> > and update it so it works in the record set functions as well?
> > 
> > Thanks,
> > 
> > Bas.
> > 
> > 
> > 
> > 
> 
> _______________________________________________
> gnome-db-list mailing list
> gnome-db-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-db-list

Follow-Ups:
- Re: [gnome-db] patch to replace gda_connection_escape_string() with gda_connection_value_to_sql_string()
  - From: Bas Driessen

References:
- Re: [gnome-db] patch to replace gda_connection_escape_string() with gda_connection_value_to_sql_string()
  - From: Bas Driessen
- Re: [gnome-db] patch to replace gda_connection_escape_string() with gda_connection_value_to_sql_string()
  - From: Alan Knowles

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]