On Thursday, 2 February 2017 at 13:28:48 UTC, Shachar Shemesh
wrote:
On 02/02/17 14:50, Adam D. Ruppe wrote:
On Thursday, 2 February 2017 at 05:33:57 UTC, FrankLike wrote:
For example, I want to do the execution of stored procedure
for
MSSql、MySQL database. I found in Mysql-d, Mysql-Native, arsd,
DDBC,
etc. there is no result.
db.query("CALL my_procedure(args...)");
Generally speaking, you really don't want to do that. Ever.
This code is how SQL injection vulnerabilities are born.
Arguments should ALWAYS be passed out of line of the actual
call command, so that the server has no chance of confusing
arguments and commands.
Sadly, that typically requires a DB library specific to the DB
in use.
Shachar
Do you really think that Adam does not know what is SQL-injection?
