Alessandro Vesely writes:
Sam Varshavchik wrote:
Alessandro Vesely writes:
* use mysql escape function also in a number of other places; the
MySQL team took years to get it straight...
Well, I don't think they got it right. There's no bounds checking in
mysql_real_escape_string! The
Sam Varshavchik wrote:
Alessandro Vesely writes:
Sam Varshavchik wrote:
Alessandro Vesely writes:
* use mysql escape function also in a number of other places; the
MySQL team took years to get it straight...
Well, I don't think they got it right. There's no bounds checking in
Alessandro Vesely writes:
Sam Varshavchik wrote:
Alessandro Vesely writes:
Sam Varshavchik wrote:
Alessandro Vesely writes:
* use mysql escape function also in a number of other places; the
MySQL team took years to get it straight...
Well, I don't think they got it right. There's no
Sam Varshavchik wrote:
Alessandro Vesely writes:
* use mysql escape function also in a number of other places; the
MySQL team took years to get it straight...
Well, I don't think they got it right. There's no bounds checking in
mysql_real_escape_string! The documentation claims you
Alessandro Vesely wrote:
On the other hand, we cannot guarantee that prepared statements work
in *all* cases.
Why not?
-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting
Gordon Messmer wrote:
Alessandro Vesely wrote:
On the other hand, we cannot guarantee that prepared statements work
in *all* cases.
Why not?
Some forms of queries don't work. E.g. you cannot have parameters
markers on bot sides of an comparison, as in WHERE ? = ?, for
Finally, I managed to get my hands on that code :-)
Gordon Messmer wrote:
Alessandro Vesely wrote:
Indeed, to use prepared statements would be itself a good reason to review
that code. It was added in MySQL 4.1.2, the auth code still has a conditional
part for older MySQL versions. Should I
Alessandro Vesely writes:
* use mysql escape function also in a number of other places; the
MySQL team took years to get it straight...
Well, I don't think they got it right. There's no bounds checking in
mysql_real_escape_string! The documentation claims you just need to provide
enough