I made the same question a month or so ago. Apparently it is supported by the driver, but not the implementation.
GLORP mentions it also support parametrized queries. In the case of Oracle it can be not only a security concern, but also a performance issue (the CPU use can skyrocket when compiling the amount of queries created by an ORM under a heavy load). By now I'm escaping what I can at the image level, because I hadn't time to look deeper into it. But parametrized queries (aka prepared statements) is the way to go. About OpenDBX as a project, I can't say much. I don't even know comparison numbers between going native or using DBX in between. Regards, Esteban A. Maringolo 2014/1/14 Daniel Lyons <fus...@storytotell.org>: > I'd like to run some ad-hoc queries against my database without opening up a > security vulnerability. I don't see any direct way to use parameterized > queries from DBXTalk. I'd expect to see something like > #executeStatement:withArguments: but I don't. In fact, I don't even see > odbx_escape in the image anywhere. What's the trick here? Surely GlorpDBX et. > al. are not gluing together bits of SQL with bits of user-supplied text and > running it unescaped. What am I missing? > > http://www.linuxnetworks.de/doc/index.php/OpenDBX/C_API/Usage#Executing_statements > > Thanks for your time, > > — > Daniel Lyons > > > >
