The SOCI prepared statements syntax is supported by the MySQL backend, it
is just not using the mysql_stmt_* API internally, but caching the query
strings on the client (I believe same is true for the PostgreSQL backend.)
Using the mysql_stmt_* API for the prepared statements seems like an OK
thing to do, but it would be a pretty big change so we could only accept it
if you were committed to maintaining the code afterwards.
Thanks,
Aleksander
On Thu, Mar 28, 2013 at 9:55 AM, Thiago Goulart <[email protected]>wrote:
> Hi Aleksander, thanks for your time.
>
> So mysql backend has not Prepared Statement like mentionated in
> Statements, procedures and transactions doc section. Just escape string is
> supported.
>
> Prepared statement has a main option: increase performance for queries
> executes more than once.
>
> Are there some SOCI backend with Prepared Statement support?
> I would like to contribute with a refactoring to session.prepared. If you
> want.
>
>
>
> ------------------------------
> From: [email protected]
> Date: Wed, 27 Mar 2013 09:04:21 -0700
> To: [email protected]
> Subject: Re: [soci-users] SOCI not support Prepared Statement(SQL
> Injection) for MySQL backend
>
>
>
> That is correct. The MySQL backend uses the older API.
>
> Regarding the SQL injection, note that the string values you pass as use()
> elements will be escaped with mysql_real_escape_string().
>
> Thanks,
>
> Aleksander
>
>
> On Wed, Mar 27, 2013 at 6:37 AM, Thiago Goulart <[email protected]>wrote:
>
> Hi guys!
>
> I hope this can help social community about Prepared Statement.
>
> I'm protecting my code against an SQL Injection attack and i'm testing
> SOCI mysql backend.
>
> Prepared Statement has a own API....
> http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statements.html
>
> that is different from common API. SOCI use common API. So Prepared
> Statement is not supported by SOCI.
>
> For example, I'm analyzing soci_mysql_test_static app in ...
>
> // The prepared statements should survive session::reconnect().
> void test8()
>
> and it's using mysql_real_query to execute a sql statement. BUT this API
> is just for direct execution.
>
> For Prepared Statement, there is another API( mysql_stmt_init,
> mysql_stmt_prepare, mysql_stmt_bind_param and mysql_stmt_execute )
>
> if I'm wrong let me know!
>
> Tks!
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> soci-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/soci-users
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in
> Intel's independent game demo contest. Compete for recognition, cash, and
> the chance to get your game on Steam. $5K grand prize plus 10 genre and
> skill prizes. Submit your demo by 6/6/13.
> http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________ soci-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/soci-users
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> soci-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/soci-users
>
>
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
soci-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/soci-users
