[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-smalltalk] [PATCH] postgres: Work on formatting Smalltalk type
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [Help-smalltalk] [PATCH] postgres: Work on formatting Smalltalk types for PostgreSQL |
|
Date: |
Tue, 21 May 2013 18:06:05 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130514 Thunderbird/17.0.6 |
Il 21/05/2013 10:07, Holger Hans Peter Freyther ha scritto:
> On Tue, May 21, 2013 at 09:45:04AM +0200, Paolo Bonzini wrote:
>
>> Hmm, that would be a bug.
>
> DBI.MySQL.MySQLConnection fieldConverterClass uniqueInstance
> print: ''';DROP TABLE;"DROP TABLE' on: stdout
>
> This is the 'dual-use' of the FieldConverter. It is good for
> SQLite/PostgreSQL queries but it is not really up to the task
> for MySQL. The question is what do we do with MySQL in terms
> of 'prepared' statements? The only thing I can think of is
> a better >>% that is also doing SQL escaping (like the escaping
> from ROE).
MySQL should take the output from FieldConverter and escape it.
Paolo