On 1/24/06, John Siracusa <[EMAIL PROTECTED]> wrote:
> On 1/24/06, Rob Kinyon <[EMAIL PROTECTED]> wrote:
> > It's a $dbh attribute.
> >
> > $dbh->{mysql_unsafe_bind_type_guessing} = 1;
> >
> > The reason it's considered 'unsafe' is that, theoretically, it's a
> > place where SQL Injection -could- occur. However, it's extremely
> > unlikely, given the strictness of the parsing. (You can review the
> > parsing yourself - it's in dbdimp.c)
>
> Okay, I'll give it a try.  It won't be unsafe in the context of RDBO
> bitfields because the values are produced by format_bitfield(), which
> we control.  Of course, now I have to add code to figure out when I
> need to use this attribute and when I don't.  Safe or not, I don't
> want to have it turned on for every query.

The reason I wrote the patch is so that I would use indices for
numeric columns. If MySQL has to convert the value from a string to a
number, it doesn't use an index. You might want to consider that when
dealing with stuff.

Also, you might want to consider using bind_param() instead of passing
parameters to execute() directly. This patch only deals with
parameters that don't have a type associated with them. If you use
bind_param() instead, then you can associate the type and DBD::mysql
shouldn't auto-quote it.

Rob


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
_______________________________________________
Rose-db-object mailing list
Rose-db-object@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rose-db-object

Reply via email to