> And then there's nsdb - I think the more specific selectProc should be > tried first for select operations, but since it's been this way for a > while, would changing this break some other drivers (where the > selectProc has never been called, or tested)? The postgres driver is at > least aware of this judging by a comment that the select function is > never called by the server, but how would the other drivers fare?
The select proc is only in the pg driver in order to support some ancient AOLserver 2 functionality that I doubt anyone else uses any more. It shouldn't appear in your sqllite3 driver, IMO. I suggest you implement stephen deasy's straightforward check that differentiates between queries that return rows (i.e. SELECT queries but usig SQL Lite's parser) to differentiate between NS_ROWS and NS_DML queries. As far as security goes, no one should allow for the direct execution of external SQL anyway, not even a SELECT. If someone's code breaks because they execute a "DROP TABLE" statement sent to their site via a query string or whatever, there's not much reason to have sympathy for them. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
