Re: next version of DBD::ODBC including available unicode patch?
- From: alexander@xxxxxxxx (Alexander Foken)
- Date: Tue, 26 Jun 2007 23:22:24 +0200
Gabor Szabo wrote:
Hi,(that's me)
I have bumped into sever issue with DBD::ODBC, the most important one is the
Unicode problem.
I found this patch by Alexander Foken
http://www.alexander-foken.de/downloads.htmlAnd for good reasons.
that is good so far except that it only works using binded values.
This example I added to the 41Unicode.t is broken.Do you know what SQL injection means? If yes, why do you still use this code style? If no, please learn what it means, a good starting point is http://en.wikipedia.org/wiki/SQL_injection
$dbh->do("INSERT INTO PERL_DBD_TABLE1 (i,nva,nvb,nvc) values (100,
'$data[0]', '$data[1]', '$data[2]')");
(ok I know we should only use binded values but there are tons of codeWhy should I (or someone else) build (probably huge) workarounds only to *OPEN* security holes?
working without so it would be nice if that worked as well.
OK, that's enough ranting for today, back to the facts:
It can't work, because the ODBC API only accepts non-Unicode SQL statements, or at least I did not find a way to make ODBC work with SQL strings encoded in UTF-8 or UTF-16 from a non-Unicode application like perl.exe (and I think there is no way for a Unicode application to use a non-Unicode SQL string except by converting it to Unicode). The parameters are a completely different thing, they are passed to the ODBC database driver without modification, and (at least for the SQL Server and Oracle driver) from there to the database server, again without modification, no matter if the application is Unincode or Non-Unicode (like perl.exe). The same applies to fetched column values.
Will someone who understnads this better than I doI still hope for someone to do this. I do not have enough insight into ODBC on Win32 and the inner workings of DBI drivers to declare my patch as good enough for a release. For that, I would need to be sure that the code is right and works with all of DBI, not just know that it works with *one* application that uses only a small part of DBI.
release a version to CPAN? Even if that is only an unofficial
development release
(e.g. 1.14_01 )
The patched code should at least disable the Win32-specific hack on non-Win32 platforms, preferably, it would also work on non-Win32 platforms. This is clearly something that was neither tested nor a target for the patch.
That's a *very* good question. Perhaps Tim Bunce knows more? If Jeff has gone, someone should take over DBD::ODBC development, and if not for Unicode support, then at least for the new DBI features added during the past three years.
Has Jeff Urlwin disappeared from the Perl world?
Alexander
--
Alexander Foken
mailto:alexander@xxxxxxxx http://www.foken.de/alexander/
.
- References:
- next version of DBD::ODBC including available unicode patch?
- From: Gabor Szabo
- next version of DBD::ODBC including available unicode patch?
- Prev by Date: Re: DBI-1.58 test failure on Windows
- Next by Date: Issues building DBI on solaris9
- Previous by thread: next version of DBD::ODBC including available unicode patch?
- Next by thread: Re: next version of DBD::ODBC including available unicode patch?
- Index(es):
Relevant Pages
|
