Jerome Martin wrote:
Hello Daniel,
On Sun, 2007-01-14 at 21:32 +0200, Daniel-Constantin Mierla wrote:
I just committed on the cvs an updated to unixodbc which escapes single
quotes, backslashes and NULL characters. Could you give it a try and let
me know if works? Long term solution would be to use prepare statements
APIs -- needs more investigation.
I just took a look at your code, but did not test it, because it won't
work. It is not as simple as that for single-quotes.
I even wonder if it is possible to do it cleanly in unixodbc module,
maybe this needs to be done directly in the DB adapter code or in the
other modules.
The outline is : in order to insert a litteral single-quote in a
single-quote-delimited SQL statement, you need to double the literal
single-quote :
Let's say I know a place named "Joe's" :
correct statement : SELECT phone FROM myTable WHERE phone='Joe''s';
INCORRECT one : SELECT phone FROM myTable WHERE phone='Joe\'s';
What do you think ?
I have just checked with postgresql. The PQEscape... function also
converts ' into ''
regards
klaus
--
Klaus Darilion
nic.at
_______________________________________________
Devel mailing list
Devel@openser.org
http://openser.org/cgi-bin/mailman/listinfo/devel
